In today’s Blox Tale, we will dive into the details of a credential phishing attack that spoofed a universally used platform across end users and businesses for connecting and sharing updates via images, videos, and short clips. Attackers targeted employees at a national institution within the Education Industry, with an email attack that spoofed the global social media brand Instagram in an attempt to steal victims’ user credentials.
The email attack had a socially engineered payload, bypassed Microsoft Exchange email security and Secure Email Gateway solution, with the potential to compromise more than 20,000 users if it weren’t for Armorblox successfully identifying and stopping this malicious brand impersonation email attack.
Mailboxes: More than 22,000 mailboxes
Target: A large, national institution within the Education Industry
Email security bypassed: Microsoft Exchange Email Security and Secure Email Gateway
Techniques used: Social engineering, brand impersonation, replicating existing business workflows, malicious URL
The subject of this email encouraged victims to open the message and read: “We Noticed An Unusual Login, [user handle]”. The goal of this subject was to instill a sense of urgency in the victims, making it seem an action needed to be taken in order to prevent future harm. At first glance, the email seems to have come from Instagram support, with the sender name, Instagram, and email address, firstname.lastname@example.org, impersonating the well-known brand and support team.
The email looks like a notification from Instagram, notifying recipients about unusual login activity on his or her account. The body of the email coincides with the spoofed email subject and sender, with details around a login from an unrecognized device. This targeted email attack was socially engineered, containing information specific to the recipient - like his or her Instagram user handle - in order to instill a level of trust that this email was a legitimate email communication from Instagram. The victim is prompted to review the details provided and secure his or her account if the login attempt was not legitimate.
The Phishing Page
The goal of the attacker(s) was to get victims to go to a fake landing page created in order to exfiltrate sensitive user credentials. The information included and language used within the email aims to lead victims to click the main call-to-action (secure your account) located at the bottom of the email. Once clicked, victims were directed to a fake landing page, which was crafted to mimic a legitimate Instagram landing page.
This fake landing page includes Instagram branding and details around the unusual login attempt detected. The information within this fake landing page provides the victims a level of detail to both corroborate the details within the email and also increase the sense of urgency to take action and click the call-to-action button, This Wasn’t Me.
Upon clicking the This Wasn’t Me button, victims were navigated to a second fake landing page. This page, much like the first, is crafted to look like a legitimate Instagram landing page. This landing page prompts victims to change his or her account, claiming that due to suspicious activity somebody may have these sensitive login credentials. The goal of this landing page is to exfiltrate these sensitive user credentials.
Credential phishing attacks like this one are crafted to exfiltrate and give credentials straight to the attacker. Victims are more likely to fall for attacks that exploit common workflows, and in this case victims were instructed to follow the steps that he or she believed to be protecting them from this very scenario.
This email attack impersonated a well-known brand, with the intention to create a sense of trust in the victim. Attackers included legitimate logos and company branding across the malicious email and fake landing page, in order to exfiltrate the victims’ sensitive user credentials.
Fig 4: Credential phishing email attack flow
The Power of Armorblox
The email attack used language as the main attack vector and bypassed native Microsoft email security controls. It passed both SPF and DMARC email authentication checks.
Attackers used a valid domain to send this malicious email, and passed DKIM, DMARC, and SPF alignment email authentication checks. Upon further analysis from the Armorblox Research Team, the sender domain received a reputable score of trustworthy and no infections in the past 12 months of the domain's 41 months of existence.
Both native email security and secure email gateways enforce security measures that can identify and block bad URLs and threats - but only those that are already known. Armorblox computer vision techniques identify fake login pages and analyze images in web pages for brands impersonated in phishing attempts. This protects organizations against millions of known phishing threats and new malicious URLs.
This email attack would have been delivered to more than 22,000 user mailboxes if this malicious URL was not identified by the security layers in place. Fortunately, these end users are protected by Armorblox, who accurately detected this email attack that contained a malicious URL. Armorblox uses Natural Language Understanding (NLU) to understand the content and context of email communications to provide organizations and end users better protection from these types of targeted, socially engineered email attacks.
Recap of Techniques Used
This email attack employed a gamut of techniques to get past traditional email security filters and pass the eye tests of unsuspecting victims.
Social engineering: The email title, design, and content aimed to induce a sense of trust and urgency in the victims. Trust was induced by impersonating a well-known brand (Instagram) and a sense of urgency through the language used within both the email and the fake landing page. The context of this attack also leverages the curiosity effect, which is a cognitive bias that refers to our innate desire to resolve uncertainty and know more about something.
Brand impersonation: The email and fake landing pages included branding similar to legitimate Instagram communications and landing pages. The information included within the body of the email attack is similar to legitimate notification email communications, plus the logos used within both the email and landing page are similar in order to try and trick the victim and instill trust.
Spoofing known workflows: The email was engineered to target a common business workflow and spoofed the well-known brand Instagram in order to instill a sense of trust. With an increase in security measures being implemented across brands, it is not uncommon for notification emails such as an ‘unusual sign-on notification’ to be sent to end users and customers of Instagram. When common workflows are spoofed, end users have a higher chance of taking action versus exercising caution; becoming victims of a phishing attack.
Valid domain names: The email was sent from a valid domain. Traditional security training advises looking at email domains before responding for any clear signs of fraud. However, in this case a quick scan of the domain address would not have alerted the end user of fraudulent activity because of the domain’s validity. In the education industry, it is common for employees to have a corporate social media account, further increasing end users’ chance of falling victim to this sophisticated phishing attack.
Guidance and Recommendations
1. Augment native email security with additional controls
The email highlighted in this blog got past native email security. For better protection and coverage against email attacks (whether they’re spear phishing, business email compromise, or credential phishing attacks like this one), organizations should augment built-in email security with layers that take a materially different approach to threat detection. Gartner’s Market Guide for Email Security covers new approaches that vendors brought to market in 2021, as well as Armorblox highlights this in the 2022 Email Security Threat Report, and should be a good starting point for your evaluation.
2. Watch out for social engineering cues
Since we get so many emails from service providers, our brains have been trained to quickly execute on requested actions. It’s much easier said than done but engage with these emails in a rational and methodical manner whenever possible. Subject the email to an eye test that includes inspecting the sender name, sender email address, the language within the email, and any logical inconsistencies within the email.
3. Follow multi-factor authentication and password management best practices
If you haven’t already, implement these hygiene best practices to minimize the impact of credentials being exfiltrated:
- Deploy multi-factor authentication (MFA) on all possible business and personal accounts.
- Don’t use the same password on multiple sites/accounts.
- Use password management software like LastPass or 1password to store your account passwords.