This blog examines an executive impersonation attack that impersonated two different employees across one organization. The email attack bypassed Microsoft Office 365 Email Security and had the potential to land in the inboxes of over 100,000 end users.
In the rise of remote work, face-to-face encounters are minimal and emails, slacks, and texts are the new communication normal. Receiving an email from an employee asking for a favor is common, so what happens when you receive an email from an authoritative figure within your organization asking for a favor, and it’s urgent? It is likely you want to oblige as soon as possible. Attackers lean into this when executing targeted email attack campaigns, looking to elicit a response from one or many unsuspecting victims who are just aiming to please. In today’s Blox Tale, we will dive into the details of a targeted impersonation email attack campaign that included two similar, but different, emails sent to employees across the organization.
If not for Armorblox, this email attack could have landed in the inboxes of more than 100,000 employees. Attackers targeted end users across an organization with an email attack campaign that included two emails that impersonated employees that held Director titles. The email attack had a socially engineered payload, using language as the main attack vector to bypass Microsoft Office 365 email security.
Summary
Mailboxes: More than 100,000 mailboxes
Target: A large, national institution within the Education Industry
Email security bypassed: Microsoft Office 365 Email Security
Techniques used: Social engineering, VIP impersonation, sense of urgency and tone used within email body
The Email
The subject of this email aimed to instill a level of urgency within the recipient, in order to garner victims to open and respond, reading: “Urgent request”. The tone used within the body of the email followed suit, claiming that a confidential task needed to be completed and a response warranted by the recipient in order to get more details.
Above we see the email attack, which included a simple, text only email body portraying to be coming from an employee within the organization. The attacker impersonated the employee by including the individual's name as the sender, spoofing the employee’s email address, and including a signature that included the individual's full name, credentials, and title at the organization.
Please note that sensitive information has been obscured from the above screenshot for privacy reasons.
The Attack Campaign
The attacker launched this campaign using language as the main attack vector. Not containing any links or attachments, this threat bypassed native email security solutions that are not able to understand the content or context of email communications.
The attacker launched an email attack campaign, spoofing two different employees at the organization. Both of these email attacks contained the same language within the email subject and body (as shown in Fig 1), with changes to the sender name, address, and email signature. The emails included within this campaign spoofed two separate, but equally trusted employees within the organization (both being Director level individuals within two different departments), and targeted different individuals across the organization depending on the relationship to each employee being impersonated.
The Power of Armorblox
The email attack used language as the main attack vector and bypassed native Microsoft email security controls. Passing all email authentication checks, Microsoft assigned an SCL score of 1 which means it would have been delivered to every victim’s inbox folder. The attacker utilized a trusted email domain (internet.ru) in order to execute this email attack campaign, only changing the sender name and email signature to align with the employee being impersonated.
Microsoft marked this email as safe (SCL score of 1) which would have delivered it to more than 100,000 user inboxes. Fortunately, these end users are protected by Armorblox, who accurately detected an unusual request and low communication history to successfully identify and prevent the delivery of this impersonation attack to end users. Armorblox uses Natural Language Understanding (NLU) to understand the content and context of email communications to provide organizations and end users better protection from these types of targeted, socially engineered email attacks.
Armorblox automatically detected and identified this targeted email attack campaign as a VIP impersonation, which is outside the breadth of security layers Microsoft native email security provides. Armorblox is able to identify these targeted attacks that use language as the main attack vector due to custom machine learning models that contextualize information, and analyze language and behavior signals across every email.
Recap of Techniques Used
This email attack employed a gamut of techniques to get past traditional email security filters and pass the eye tests of unsuspecting victims.
Social engineering: The email subject and content aimed to induce a sense of trust and urgency in the victims. Trust was induced by impersonating trusted employees at the organization and a sense of urgency through the language used within the subject and body of the email. This email attack also leverages our Authority Bias; our willingness to abide by the opinions or requests of an individual due to his or her authority.
VIP or Employee Impersonation: When employees receive a request or question from an individual of authoritative status, the likelihood to want to oblique as soon as possible to the ask is common. Attackers lean into this when executing targeted email attack campaigns, looking to elicit a response from one or many unsuspecting victims who are just aiming to please. After successfully gaining the victims’ trust, bad actors try to elicit a response in order to gain access to sensitive information; including confidential business data, user login credentials, requesting gift card purchases, bank accounts and routing numbers, of which they can leverage to craft targeted and financially damaging attacks.
Guidance and Recommendations
1. Augment native email security with additional controls
The email highlighted in this blog got past native email security. For better protection and coverage against email attacks (whether they’re spear phishing, business email compromise, or impersonation attacks like this one), organizations should augment built-in email security with layers that take a materially different approach to threat detection. Gartner’s Market Guide for Email Security covers new approaches that vendors brought to market in 2021, as well as Armorblox highlights this in the 2022 Email Security Threat Report, and should be a good starting point for your evaluation.
2. Watch out for social engineering cues
Since we get so many emails from service providers, our brains have been trained to quickly execute on requested actions. It’s much easier said than done but engage with these emails in a rational and methodical manner whenever possible. Subject the email to an eye test that includes inspecting the sender name, sender email address, the language within the email, and any logical inconsistencies within the email.
3. Follow multi-factor authentication and password management best practices
If you haven’t already, implement these hygiene best practices to minimize the impact of credentials being exfiltrated:
- Deploy multi-factor authentication (MFA) on all possible business and personal accounts.
- Don’t use the same password on multiple sites/accounts.
- Use password management software like LastPass or 1password to store your account passwords.
