This blog examines a credential phishing attack, which impersonated the brand Apple. The email attack spoofed a legitimate email communication from Apple, and bypassed Microsoft Office 365 email security.
With Apple announcing gift cards of up to $250 with select product purchases and many retailers claiming they have the best deals and discounts on all the latest tech trends, it’s no surprise that Apple products were one of the most purchased electronics across Black Friday and Cyber Monday shoppers. In today’s Blox Tale, we will dive into the details of a credential phishing attack that spoofed a consumer favorite among cyber deals, Apple.
The email attack had a socially engineered payload, targeting end users as a large institution in an attempt to steal victims’ user credentials. This targeted attack bypassed Microsoft Office 365 email security, with the potential to compromise more than 10,000 users if it weren’t for Armorblox successfully identifying and stopping this malicious brand impersonation email attack.
Mailboxes: More than 10,000 mailboxes
Target: A large, private institution within the Education Industry
Email security bypassed: Microsoft Office 365 Email Security
Techniques used: Social engineering, brand impersonation, malicious URL
Attackers crafted the targeted email in order to convince recipients that they were receiving a legitimate email communication from the brand Apple, Inc. With the subject of the email reading: We’ve suspended your access to apple services, it is clear the attacker’s intention was to establish a sense of urgency in order for the email to be opened. Once opened, unsuspecting victims were met with minimalist email (black with white text) informing recipients that validation of the card associated with his or her apple account failed to validate. The consequence was clear – access to services that use the account would be lost.
The goal of this email was to instill a sense of urgency in the victim, making it seem like an action was necessary in order to prevent future harm. At first glance, the email seems to be a legitimate email notification from Apple, Inc. with the sender name, A P P L E, clearly legible. We can see that the attacker sent this email from a legitimate domain associated with the brand, icloud.com. The email body states that a brief validation process is needed, validating to the unsuspecting victim that it would not take long to right this wrong that A P P L E has kindly brought to this customer’s attention. Towards the bottom of the email, the attacker added a malicious link, obscured by what looks like a link to an Apple login page.
The Phishing Page
The goal of the targeted email was to get victims to go to a fake landing page created in order to exfiltrate sensitive user credentials. The information included and language used within the email aims to lead victims to click the main call-to-action (login now) located at the bottom of the email. Once clicked, victims were directed to a fake landing page, which was crafted to mimic a legitimate Captcha security check landing page.
This fake landing page includes language around why the unsuspecting victim was navigated to this page – an automatic process to validate the visitor’s human identity. CAPTCHA tests are commonly used to tell humans and computers apart, an unsuspecting victim who had navigated to this page would have seen this as just another layer of security that he or she believed Apple, Inc. had instilled. Unfortunately, victims who inputted the simple 4-digit code were then navigated to a login page with the goal to exfiltrate sensitive user credentials.
This email attack impersonated a well-known brand, with the intention to create a sense of trust in the victim. Attackers spoofed the brand across the malicious email: including the sender name, domain, and inclusion of on-brand language within the email body, in order to exfiltrate the victims’ sensitive user credentials.
The Power of Armorblox
The email attack used language as the main attack vector and included a bad URL that bypassed native Microsoft email security controls.
Attackers used a valid, trusted domain to send this malicious email, and passed DKIM, DMARC, and SPF email authentication checks. Upon further analysis from the Armorblox Research Team, the attacker hosted the fake landing page on a domain with a reputation score of moderate risk and no infections within the domain’s 9 months of existence. Microsoft marked this email as safe, (and assigned a SCL score of -1) which would have delivered it to more than 10,000 users’ inboxes if it weren’t for Armorblox stopping this attack. Fortunately these end users are protected by Armorblox, who accurately detected this email attack that contained a bad URL. Armorblox uses Natural Language Understanding (NLU) to understand the content and context of email communications to provide organizations and end users better protection from these types of targeted, socially engineered email attacks.
Recap of Techniques Used
This email attack employed a gamut of techniques to get past traditional email security filters and pass the eye tests of unsuspecting victims.
Social engineering: The email title, design, and content aimed to induce a sense of trust and urgency in the victims. Trust was induced by impersonating a well-known brand (Apple, Inc.) and a sense of urgency through the language used within both the email and the fake landing page. The context of this attack also leverages the curiosity effect, which is a cognitive bias that refers to our innate desire to resolve uncertainty and know more about something.
Brand impersonation: The email and fake landing pages included branding similar to legitimate Apple communications. The information included within the body of the email attack is similar to legitimate notification email communications, in order to try and trick the victim and instill trust.
Valid domain names: The email was sent from a valid domain. Traditional security training advises looking at email domains before responding for any clear signs of fraud. However, in this case a quick scan of the domain address would not have alerted the end user of fraudulent activity because of the domain’s validity.
Guidance and Recommendations
1. Augment native email security with additional controls
The email highlighted in this blog got past native email security. For better protection and coverage against email attacks (whether they’re spear phishing, business email compromise, or credential phishing attacks like this one), organizations should augment built-in email security with layers that take a materially different approach to threat detection. Gartner’s Market Guide for Email Security covers new approaches that vendors brought to market in 2021, as well as Armorblox highlights this in the 2022 Email Security Threat Report, and should be a good starting point for your evaluation.
2. Watch out for social engineering cues
Since we get so many emails from service providers, our brains have been trained to quickly execute on requested actions. It’s much easier said than done but engage with these emails in a rational and methodical manner whenever possible. Subject the email to an eye test that includes inspecting the sender name, sender email address, the language within the email, and any logical inconsistencies within the email.
3. Follow multi-factor authentication and password management best practices
If you haven’t already, implement these hygiene best practices to minimize the impact of credentials being exfiltrated:
- Deploy multi-factor authentication (MFA) on all possible business and personal accounts.
- Don’t use the same password on multiple sites/accounts.
- Use password management software like LastPass or 1password to store your account passwords.