Each Blox Tales blog* will take a look at a targeted email attack, outline why it made its way into an inbox, and highlight how Armorblox was able to detect the attack. In this blog, we’ll focus on a credit card phishing attempt that impersonates a popular streaming service with an email that claims to have put user accounts on hold.
*Try saying ‘Blox Tales blog’ out loud a couple of times if you’d like to give your tongue some cardio.
A few weeks ago, we saw a credit card phishing email land in a customer inbox. This email claimed to come from Netflix with a warning that the user’s streaming service account had been put on hold. A request to re-enter credit card details led users to a page designed to steal credentials. An anonymized transcript of the email is presented below.
Why The Attack Got Through
This email got past existing Office 365 security controls because it didn’t follow the tenets of more traditional phishing attacks.
Not a mass email
This was not a bulk email and only a few people in the target organization received it. This ensured that the email wasn’t caught in the bulk email filters of Exchange Online Protection (EOP).
Unlike spray-and-pray email fraud attempts, this email was expressly created and sent to trigger the required response. The sender name was ‘netflix’, the title claimed they were unable to renew the user’s membership, and the first line of the email declared that the user account had been put on hold. These techniques, when combined with the fact that the email was sent at 8AM, are all designed to convey a sense of urgency. Users are busy sifting through their inbox in the morning, spot this email with some worrying news, and quickly resubmit their credit card details before moving onto other work matters.
Zero-day link and lookalike domain
The attacker created a new domain for this email attack, so it got past any EOP filters that were created to block known bad domains. This domain (email@example.com) is not one Netflix would use, but it has enough relevant keywords to pass an eye test during busy mornings. The link in the email for users to input credit card details was also a zero-day link, thus getting past any filters that blocked known malicious links.
Legitimate details in the footer
Another interesting technique this email used was including enough legitimate elements in the email body. If you look at the footer signature, the customer service number and the help center link (help.netflix.com) are genuine. These offer important (although maybe subconscious) validation that the email we’re looking at is a real email from Netflix.
How Armorblox Detected The Attack
Here’s a transcript of the email with some attack signals highlighted:
Armorblox was able to detect the email based on the following insights:
Language, intent, and tone
Armorblox language models have been trained on tons of data and further customized to suit every customer environment. These models analyzed the email body and detected that there was an unusual request made in the email (which is a common trait in business email compromise attacks).
Low communication history
Armorblox detected that the sender email in question (firstname.lastname@example.org) had a low communication history with the victim’s email account. While not a violation in itself, this insight is critical when compared with other unusual signals and can catch highly targeted attacks.
Low domain frequency
Armorblox ML models have three tiers - a global model, an organization-specific model, and a mailbox-specific model. While the mailbox-specific model was able to detect low communication history between the sender and the receiver, the organization-specific model detected that the attacker’s domain had not communicated with the target company as a whole.
Based on the insights above, along with many other detection signals, Armorblox flagged the email as a BEC threat. The email was automatically quarantined based on predetermined remediation actions for the BEC detection category.
Stay tuned for more Blox Tales! If you’re interested to learn about Armorblox, you can schedule a demo with one of our email security experts.