Blox Tales: Zix Credential Phishing

In today’s Blox Tale, we will look at a credential phishing attack that spoofs an encrypted message notification from Zix. Clicking the link attempts to download an HTML file onto the victim’s system.

This email attack was observed on multiple Armorblox customer environments across Office 365, Google Workspace, and Exchange. The total attack exposure was close to 75,000 mailboxes, but our threat research team found that small groups of cross-departmental employees were targeted in each customer environment.

Summary

Total mailboxes across orgs: ~75,000

Email Provider: Office 365, Google Workspace, Exchange

Techniques used: Social engineering, brand impersonation, replicating existing workflows, drive-by download, exploiting legitimate domain

Fig: Credential phishing attack spoofing a Zix secure message

The Email

This email is titled ‘Secure Zix message’, includes a header in the email body reiterating the email title, and claims that the victim has received a secure message from Zix, which is a security technology company that provides email encryption and email data loss prevention services.

The email invites the victim to click on the ‘Message’ button to view the secure message. A snapshot of the email is given below:

Fig:  Email spoofing a Zix secure message notification

Looking at a genuine template for Zix secure messages (shown below), the email is not a facsimile but bears enough surface-level resemblance to pass the eye tests of unsuspecting victims.

Fig:  Screenshot of a genuine Zix secure message template

The domain of the email sender was ‘thefullgospelbaptist[.]com’, which is a religious organization established in 1994. Looking at WhoIs details of the parent domain, the domain now redirects to ‘fullgospelbaptist[.]org’.

It’s possible that attackers exploited a deprecated or old version of this organization’s parent domain to send the malicious emails. The email passed all authentication checks (SPF, DKIM, DMARC).

Fig:  The email sender domain belongs to a religious organization

The Phishing Page

Clicking the ‘Message’ link in the email attempts to install an HTML file named ‘securemessage’ on the victim’s system. Attempting to open the file in a VM wasn’t possible because the redirect to download the file didn’t appear within the VM. At the time of writing, opening up this HTML message after download leads to a ‘block’ page driven by most site-blockers.

Fig: Clicking the ‘Message’ link in the email attempts a drive-by download of an HTML file

The Targets

Although the potential account exposure of this attack campaign was close to 75,000 mailboxes, our threat research team found that a select group of employees - usually across departments - were targeted within each customer environment.

For example, for one of our SLED customers, people targeted by this attack included the CFO, a Director of Operations, a Director of Marketing, and a Professor. For another customer, a wellness company, the target employees included the SVP of Finance and Operations, the President, and a utility email alias (member.services@company[.]com).

While the spread is seemingly randomized, attackers might also have deliberately chosen their victims to be across departments and to contain a good mix of senior leadership and individual contributors. These employees are unlikely to communicate often with each other when they receive an email that looks suspicious.

It’s worth noting that multiple employees in any single department were not targeted.

Recap of Techniques Used

This email attack employed a gamut of techniques to get past traditional email security filters and pass the eye tests of unsuspecting victims.

• Social engineering: The email title, design, and content aimed to induce a sense of trust and urgency in the victims - a sense of trust because the email claimed to come from a legitimate company (Zix), and a sense of urgency because it claimed the victim was sent s secure message - something they would be eager to view. The context of this attack also leverages the curiosity effect, which is a cognitive bias that refers to our innate desire to resolve uncertainty and know more about something.
• Brand impersonation: The email has HTML stylings and content disclaimers similar to real emails from Zix. While not a perfect replica of the real thing, it bears enough resemblance to a legitimate email to be dangerous.
• Exploiting legitimate domain: The parent domain of the email sender was a deprecated or old version of a legitimate domain - ‘thefullgospelbaptist[.]com’. This helped the email bypass authentication checks.
• Replicating existing workflows: The context for the email attack replicates workflows that already exist in our daily work lives (getting encrypted email notifications). When we see emails we’ve already seen before, our brains tend to employ System 1 thinking and take quick action. The email content even had every victim’s first name filled in to increase the feeling of legitimacy and the chances of follow through.

Guidance and Recommendations

1. Augment native email security with additional controls

The email highlighted in this blog got past the security controls of Office 365, Google Workspace, Exchange, Cisco ESA, and others. For better protection coverage against email attacks (whether they’re spear phishing, business email compromise, or credential phishing attacks like this one), organizations should augment built-in email security with layers that take a materially different approach to threat detection. Gartner’s Market Guide for Email Security covers new approaches that vendors brought to market in 2020, and should be a good starting point for your evaluation.

The screenshot below shows the email with a Spam Confidence Level (SCL) score of -1. This means the email skipped Microsoft’s spam filters because it was from a safe sender, was sent to a safe recipient, or was from an email source server on the IP Allow List.

Fig: The email has an SCL score of -1, which means it skipped Microsoft’s spam filters

2. Watch out for social engineering cues

Since we get so many emails from service providers, our brains have been trained to quickly execute on their requested actions. It’s much easier said than done, but engage with these emails in a rational and methodical manner whenever possible. Subject the email to an eye test that includes inspecting the sender name, sender email address, language within the email, and any logical inconsistencies within the email (e.g. Why is a Zix link leading to an HTML download? Why is the sender email domain from a third-party organization?).

3. Follow MFA and password management best practices

If you haven’t already, implement these hygiene best practices to minimize the impact of your credentials being leaked:

• Deploy multi-factor authentication (MFA) on all possible business and personal accounts.
• Don’t use the same password on multiple sites/accounts.
• Use a password management software like LastPass or 1password to store your account passwords.
• Avoid using passwords that tie into your publicly available information (date of birth, anniversary date, etc.).
• Don’t use generic passwords such as ‘password123’, ‘YourName123’, etc.

To see Armorblox work in your email environment, get started with a free 2-week risk assessment below.