Each Blox Tales blog* will take a look at a targeted email attack, outline why it made its way into an inbox, and highlight how Armorblox was able to detect the attack. In this blog, we’ll focus on an example of credential phishing that takes advantage of the uncertainty surrounding the coronavirus (COVID-19) pandemic.
*Try saying ‘Blox Tales blog’ out loud a couple of times if you’d like to give your tongue some cardio.
A few weeks ago, we saw a credential phishing email land in a customer inbox. This email claimed to contain important COVID-19 updates and included a ‘link’ where the recipient could learn more information. An anonymized transcript of the email is presented below.
Why The Attack Got Through
This email got past existing Office 365 security controls because it didn’t follow the tenets of more traditional phishing attacks.
- Not a mass email: Although the email title says ‘all’ (perhaps out of attacker laziness), this was not a bulk email and only one person in the target organization received it. This ensured that the email wasn’t caught in the bulk email filters of Exchange Online Protection (EOP).
- Socially engineered: The email was expressly crafted to trigger our baser instincts. During times of uncertainty, two traits everyone responds to are authority and urgency. The email title has two mentions of the word ‘Important’. The first word of the email is also ‘Important’, and it ends with ‘It is important you read the procedures’ for good measure. The matter-of-fact and, well, important nature of the email is more likely to induce the desired action from victims.
- There was no link: Although the email says there’s a link to learn more information, it didn’t actually link to anything in this case. This may have been due to a haphazardly constructed attack email, but it resulted in the email getting past O365’s malware and URL checking mechanisms.
You might be thinking: so if there was no link in the email, it couldn’t have caused much damage, right? Well, yes and no. The victim might have thought it was a legitimate email and replied to it, starting a mail thread based on trust with another potential credential phish down the line. And if the victim replied to the email with their signature enabled, the attacker would immediately come to know the victim’s name, phone number, and any other details included in the signature. This pattern of extracting personal information from email signatures has reared its head many times in Armorblox research and attack detections.
How Armorblox Detected The Attack
Here’s a transcript of the email with some attack signals highlighted:
Armorblox was able to detect the email based on the following insights:
- Language, intent, and tone: Armorblox language models have been trained on tons of data and further customized to suit every customer environment. These models analyzed the email body and detected that there was an unusual request made in the email (which is a common trait in business email compromise attacks).
- Low communication history: Armorblox detected that the sender email in question (firstname.lastname@example.org) had a low communication history with the victim’s email account. While not a violation in itself, this insight is critical when compared with other unusual signals and can catch highly targeted attacks.
- Low domain frequency: Armorblox ML models have three tiers - a global model, an organization-specific model, and a mailbox-specific model. While the mailbox-specific model was able to detect low communication history between the sender and the receiver, the organization-specific model detected that the attacker’s domain had not communicated with the target company as a whole.
Based on the insights above, along with many other detection signals, Armorblox flagged the email as a BEC threat. The email was automatically quarantined based on predetermined remediation actions for the BEC detection category.
Stay tuned for more Blox Tales! If you’re interested to learn about Armorblox, you can schedule a demo with one of our email security experts.