In today’s Blox Tale, we will dive into the details of a credential phishing attack that spoofed a legitimate company specializing in international shipping, courier services, and transportation. Attackers targeted end users across a private institution, sending an email that spoofed a legitimate communication from DHL, in an attempt to steal victims’ login credentials.
The email attack impersonated DHL and included an attachment that aimed to exfiltrate login credentials, and bypassed both native Microsoft 365 and Exchange Online Protection (EOP) email security layers. If not for Armorblox successfully identifying and stopping this malicious email attack, this targeted threat had the potential to compromise more than 10,000 end users.
Mailboxes: More than 10,000 mailboxes
Target: A private institution within the Education Industry
Email security bypassed: Microsoft 365 Email Security and Exchange Online Protection (EOP)
Techniques used: Social engineering, brand impersonation, replicating existing business workflows, malicious attachment
The subject of this email aimed to instill an automatic level of trust through the inclusion of the well-known and trusted brand name, DHL, reading: “DHL Shipping Document/Invoice Receipt”. The inclusion of a legitimate brand name within the email subject encourages victims to open the email in a timely fashion, assuming the email is a legitimate communication from the brand that needs attention.
At first glance, the email seems to be a legitimate communication from international shipping company, DHL, with the sender name and email address reading DHL and email@example.com respectively.
Fig 1: Snapshot of credential phishing email attack impersonating DHL
The body of the email continues to impersonate the well-known brand, through the inclusion of the company logo and brand colors and signature pertaining to the DLP customer service department. The email looks like a notification from DHL, notifying recipients about a parcel sent by a customer that needed to be rerouted to the correct delivery address. The body of the email has one simple call to action for the recipient, to view the attached document and confirm the destination address of the parcel shipment.
Please note that sensitive information has been obscured from the above screenshot for privacy reasons.
The Phishy File
The goal of the targeted attack was for victims to follow the prompted instructions within the email body and open the attachment. The attachment included within this email attack was named Shipping Document Invoice Receipt to further instill trust in the unsuspecting victims that the attachment was a legitimate file from DHL and the “copy of DHL receipt for tracking”, as referenced in the body of the email. The information and language used within the email led victims to click the attachment, unsuspecting that the attachment had malicious intent.
Upon opening the malicious attachment, viewers were provided a blurred-out preview of the content of the attachment – a Microsoft Excel file. In order to access the entirety of the document, viewers were prompted to provide his or her Microsoft login credentials. End users that believed a login was necessary to gain access to the file would have unknowingly provided his or her email and password straight to the attacker(s), falling victim to this targeted attack that aimed to exfiltrate sensitive login credentials.
The Attack Flow
This email attack impersonated a well-known brand, with the intention to create a sense of trust in the victim. Attackers included legitimate logos and company branding, plus included language with the email that aligned with legitimate company communications. The end goal of this targeted email attack was to get unsuspecting victims to open the malicious email attachment and sign in, providing his or her sensitive Microsoft login credentials.
The Power of Armorblox
The email attack used language as the main attack vector in order to bypass both Microsoft Office 365 and EOP email security controls. These native email security layers are able to block mass spam and phishing campaigns and known malware and bad URLs. However, this targeted email attack bypassed Microsoft email security because it did not include any bad URLs or links and included an HTML file that included a malicious phishing form.
Attackers used a valid domain to send this malicious email and passed all email authentication checks. Upon further analysis from the Armorblox Research Team, the sender domain (vaimti-yacht.com) received a moderate risk reputation score of the domain’s 1 month of existence.
This email attack would have been delivered to 100,000 end users’ inboxes if this targeted organization had only relied on native email security layers. Fortunately, these end users are protected by Armorblox, who accurately detected this email attack that contained a malicious attachment. Native email security enforces security measures that can identify and block threats - but only those that are already known. Armorblox uses Natural Language Understanding (NLU) to understand the content and context of email communications to protect organizations from socially engineered email attacks that use language as the main attack vector. Armorblox computer vision techniques analyze attachments and HTML files that are commonly used to redirect users to fake landing pages, download malicious software, or display forms aimed to exfiltrate sensitive information and user credentials. With these sophisticated detection techniques and custom machine learning models, Armorblox provides organizations and end users the protection needed to stop today’s targeted, socially engineered email attacks.
Recap of Techniques Used
This email attack employed a gamut of techniques to get past traditional email security filters and pass the eye tests of unsuspecting victims.
Social engineering: The email subject, design, and language used aimed to induce a sense of trust and urgency in the victims. Trust was induced by impersonating a well-known brand (DHL) and a sense of urgency through the content within both the email and the malicious attachment. The context of this attack also leverages the curiosity effect, which is a cognitive bias that refers to our innate desire to resolve uncertainty and know more about something.
Brand impersonation: The email included branding similar to legitimate DHL communications and content. The information included within the body of the email attack is similar to legitimate notification email communications, plus the body of the email included a legitimate DHL logo and customer service signature in order to try and trick the victim and instill trust.
Replicating Existing Business Workflows: The email was engineered to replicate a common business workflow from DHL in order to instill a sense of trust. It is not uncommon for courier and logistics companies to send email notifications about the status of parcel deliveries. In this case, attackers made it seem like DHL was reaching out to fix a misdelivery issue — an action that can easily be seen as a good deed by the recipient, further taking advantage of one’s natural desire to help those trying to make right.
Guidance and Recommendations
1. Augment native email security with additional controls
The email highlighted in this blog bypassed past native email security. For better protection and coverage against email attacks (whether they’re spear phishing, business email compromise, or credential phishing attacks like this one), organizations should augment built-in email security with layers that take a materially different approach to threat detection. Gartner’s Market Guide for Email Security covers new approaches that vendors brought to market in 2021, as well as Armorblox highlights this in the 2022 Email Security Threat Report, and should be a good starting point for your evaluation.
2. Watch out for social engineering cues
Since we get so many emails from service providers, our brains have been trained to quickly execute on requested actions. It’s much easier said than done, but engage with these emails in a rational and methodical manner whenever possible. Subject the email to an eye test that includes inspecting the sender name, sender email address, the language within the email, and any logical inconsistencies within the email.
3. Follow multi-factor authentication and password management best practices
If you haven’t already, implement these hygiene best practices to minimize the impact of credentials being exfiltrated:
- Deploy multi-factor authentication (MFA) on all possible business and personal accounts.
- Don’t use the same password on multiple sites/accounts.
- Use password management software like LastPass or 1password to store your account passwords.