Each Blox Tale will take a look at a targeted email attack, outline why it made its way into an inbox, and highlight how Armorblox was able to detect the attack. In this blog, we’ll focus on a credential phishing attempt that impersonated Intuit QuickBooks with an email that asked readers to review their last deposit. Clicking the link led readers to the credential phishing page that resembled the QuickBooks Payments login portal.
Earlier this year, we saw a credential phishing attempt to land in a customer inbox. This email claimed to come from Intuit QuickBooks, a popular accounting and payment processing solution, and asked readers to review their last deposit. Clicking the link took the targets to the credential phishing page resembling the login portal for QuickBooks Payments, designed to make targets part with their QuickBooks credentials. The email claims that funds will be debited from the target’s account if no response is received, furthering the sense of urgency. A snapshot of the email is given below:
Fig: Email where attackers impersonate QuickBooks and direct readers to review their last deposit. Highlights from Armorblox email threat detection also included.
Why The Attack Got Through
This email got past existing G Suite and gateway security controls because it didn’t follow the tenets of more traditional phishing attacks.
1. Not a mass email
This was not a bulk email and only a few people in the target organization received it. This ensured that the email wasn’t caught in the bulk email filters of G Suite’s Advanced Protection Program or the Secure Email Gateway (SEG).
2. Lookalike website
The final credential phishing page in this attack was made to resemble a QuickBooks login page. A screenshot is presented below:
Fig: Final credential phishing page made to resemble a QuickBooks login page
This page would pass most eye tests during busy mornings, with people happily assuming it to be a legitimate QuickBooks page. The page actually looks very similar to an older version of the QuickBooks login page. Although the design has since been updated, busy readers won’t have enough rational decision making time to mull this point over.
Adversaries went to great lengths to lend this login page a sense of legitimacy. The QuickBooks logo on the browser tab is a genuine logo. Moreover, all the hyperlinks except the ‘Sign In’ and ‘I forgot my user ID or password’ links actually lead to legitimate websites. The two aforementioned links both led to the same phishing site.
A closer look at the page reveals some irregularities, however. The domain - lazurowa168[.]pl - is clearly not a QuickBooks domain.
3. Socially engineered
Unlike spray-and-pray email fraud attempts, this email was expressly created and sent to trigger the required response. The sender name impersonated Intuit QuickBooks, making the email likely to get past eye tests when people glanced through it amidst hundreds of other emails in their overflowing mailboxes. The email language and topic was intended to induce urgency in the reader owing to its financial nature. Asking readers to review their last deposit is a powerful motivator for anyone to click on the URL and follow through. The email claims that funds will be debited from the target’s account if no response is received, furthering the sense of urgency.
How Armorblox Detected The Attack
Armorblox was able to detect the email attack based on the following insights:
1. Language, intent, and tone
Armorblox language models have been trained on tons of data and further customized to suit every customer environment. These models analyzed the email body and detected many financial topics within the text. Armorblox also detected that there was an unusual request made in the email (which is a common trait in business email compromise attacks).
Fig: Another screenshot of the email showing Armorblox detection insights (financial topics, bad URL)
2. Low communication history
Armorblox detected that the sender email in question had a low communication history with the victim’s email account. While not a violation in itself, this insight is critical when compared with other unusual signals and can catch highly targeted attacks.
3. Low domain frequency
Armorblox ML models have three tiers - a global model, an organization-specific model, and a mailbox-specific model. While the mailbox-specific model was able to detect low communication history between the sender and the receiver, the organization-specific model also detected that the attacker’s domain had not communicated with the target company as a whole.
Based on the insights above, along with many other detection signals, Armorblox flagged the email as a credential phishing threat. Based on the remediation actions set up by the security team for the credential phishing category, this email could have been automatically deleted or quarantined.