Armorblox is now part of Cisco

Threat Research | 10 min read

Social InSecurity: Armorblox Stops Attack Impersonating Social Security Administration


Lauryn Cash
Lauryn Cash

In today’s Blox Tale, we will shine a light on a recent email attack that targeted a national educational institution, and attempts to prey on the trust and uncertainty that many end-users experience during tax season. This email attack bypassed Microsoft 365 email security and had the potential of compromising over 160,000 end users.

Social InSecurity: Armorblox Stops Attack Impersonating Social Security Administration

As tax season approaches, cybercriminals are getting more creative in their attempts to steal sensitive information. Recently, a new vishing email attack has been detected, which is particularly concerning as it targets one of the most trusted government entities in the US, the Social Security Administration, and attempts to prey on the trust and uncertainty that many end-users experience during tax season.

In today’s Blox Tale, we will shine a light on this latest attack that targeted a national educational institution. This email attack bypassed native email security and had the potential of compromising over 160,000 end users if not for Armorblox successfully stopping this socially engineered attack.


Mailboxes: More than 160,000 mailboxes

Target: A large, national educational institution

Email security bypassed: Native Microsoft 365 Email Security

Techniques used: Social engineering, brand impersonation, trusted attachment file extension

The Email

The language used within the subject of the email, “Due to erroneous and suspicious activities”, brings a sense of urgency and need to open the email immediately in order to understand the suspicious activities that would require the recipient’s attention. The subject of this email also included the recipient’s email address, to make it clear the email was meant for the intended recipient and increase the likelihood of the email being opened.

Additionally, the bad actor customized the sender name, Social Security Administration-2521, to impersonate the recognizable Social Security Administration. This was intentional, as emails sent from the SSA usually require immediate attention and response, and when it comes to email communications are considered on the more serious side of the scale. Receiving an email from the SSA can put recipients on alert, and even when unexpected are most likely to receive a proper amount of attention.

Fig 1: Snapshot of email attack impersonating Social Security Administration

The body of the email addressed the recipient by email address. For end users thinking back to high-level security training that teaches a sure-fire way to spot an attack is lack of personalization - this unusual occurrence could be the fine line between an end user successfully recognizing this email as malicious.

The body of the email informed recipients that due to suspicious activity, his or her SSN had been suspended. The snappy email included language suggestive of a request (recognized by Armorblox, as seen in the above screenshot), insinuating that recipients must take a look at the attached .PDF in order to view the official notice of suspension.

The Vishy Attachment

For recipients who opened the attachment, they were welcomed with a blunt letter that looks to be on SSA letterhead. With a Social Security Administration logo within the upper-left corner as well as used as the watermark, the letter of suspension provides little to no explanation of the reason behind the decision to terminate the SSN account. The bluntness of the letter was met with a ‘wish you the best in your future endeavors’ sign-off and included a telephone number for any questions recipients wished to be addressed.

Fig 2: Snapshot of attachment included within email attack

Although the attachment lacked the personalized salutation seen within the email, it included other details in order to establish authenticity: the inclusion of a case number, the signature of the acting commissioner, email reference ID, customer service contact number, as well as the physical address of the SSA - all reasonable inclusions that one may find in legitimate SSA communications. The main action the bad actor aimed to facilitate through this email attack was for recipients to call the customer service number included, in two separate mentions for safe measure – taking this attack away from email to phone, a true vishing attack.

The Attack Flow

This email attack impersonated a government agency, with the intention to create a sense of urgency in the victim. Attackers included a legitimate logo and watermark within the attachment, plus included language with the email that review needed to be taken in a timely fashion. The end goal of this targeted email attack was to get unsuspecting victims to open the email attachment and call the customer support number included.

Fig 3: SSA Targeted Vishing email attack flow

The Power of Armorblox

The email attack used language as the main attack vector in order to bypass legacy security layers without raising flags. The bad actor utilized a trusted sender domain (Gmail) in order to execute this targeted email attack, passing all email authentication checks (DMARC, DKIM, SPF).

With the lack of malicious URLs and the use of a trusted email attachment file extension (.PDF), the targeted attack was no match to native security tools that rely on these indicators of fraud, easily bypassing native Microsoft email security controls (with an assigned SCL score of 1).

This email attack would have been delivered to 160,000 end users’ inboxes if this targeted organization had only relied on native email security for protection against targeted attacks. Fortunately, these end users are protected by Armorblox, who accurately detected this malicious email attack.

This email attack can be classified as a fake SSN termination email - a timely attack campaign with the current tax season, and is a subset of Social Engineering Attacks related to fake subscriptions and termination alerts. These emails include information and content similar to legitimate emails regarding the termination of a service and the recovery steps a user must follow. These email attacks look and contain similar language as real email communications, varying from Phishing attacks (where you need to click on a link and provide sensitive information) or Vishing attacks (where you need to provide sensitive information on a call).

Armorblox uses Natural Language Understanding (NLU) to understand the content and context of email communications to protect organizations from socially engineered email attacks that use language as the main attack vector - such as this socially engineered vishing attack. Armorblox analysis of this email identified low communication history between the sender and recipient, and a fraud risk based on the content and context of the email. This threat was also matched to other socially engineered email attacks seen across Armorblox Global Model - meaning similar and matching email threats detected and remediated for one customer get automatically remediated across other customers. This is just one of the many lengths Armorblox email security goes to make sure that all customers and end users have the sophisticated protection needed against today’s targeted, socially engineered email attacks.

Recap of Techniques Used

This email attack employed a gamut of techniques to get past traditional email security filters and pass the eye tests of unsuspecting victims.

Social engineering: The email subject, design, and language used aimed to induce a sense of trust and urgency in the victims. Trust was induced by manipulating the sender name and ensuring that end users saw this as the email came in. A sense of urgency was created through the content within both the email and the attachment, taking advantage of the victim's curiosity and longing to know more.

Brand impersonation: The email included language and information similar to what could be in legitimate Social Security Administration communications. The fake attachment included legitimate logos and a watermark of SSA. When coupled with the language used within the email body, this fake attachment could easily fool the eyes of unsuspecting victims.

Guidance and Recommendations

1. Augment native email security with additional controls

The email highlighted in this blog bypassed past native email security. For better protection and coverage against email attacks (whether they’re spear phishing, business email compromise, or credential phishing attacks like this one), organizations should augment built-in email security with layers that take a materially different approach to threat detection. Gartner’s Market Guide for Email Security covers new approaches that vendors brought to market in 2022, as well as Armorblox highlights this in the 2022 Email Security Threat Report, and should be a good starting point for your evaluation.

2. Watch out for social engineering cues

Since we get so many emails from service providers, our brains have been trained to quickly execute on requested actions. It’s much easier said than done but engage with these emails in a rational and methodical manner whenever possible. Subject the email to an eye test that includes inspecting the sender name, sender email address, the language within the email, and any logical inconsistencies within the email.

3. Follow multi-factor authentication and password management best practices

If you haven’t already, implement these hygiene best practices to minimize the impact of credentials being exfiltrated:

  • Deploy multi-factor authentication (MFA) on all possible business and personal accounts.
  • Don’t use the same password on multiple sites/accounts.
  • Use password management software like 1password to store your account passwords.

Learn how Armorblox protects your organization from malicious impersonation attacks.

Take Product Tour

Experience the Armorblox Difference

Get a Demo