Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Edge

End of Bibblio RCM includes -->
1/19/2021
03:30 PM
Edge Editors
Edge Editors
Edge-DRsplash-10-edge-articles

4 Intriguing Email Attacks Detected by AI in 2020

Here's to the sneakiest of the sneaky. These clever phishing messages -- that standard validation measures often missed -- deserve proper dishonor. (Sponsored)

(image by Abraham Peña)
(image by Abraham Peña)

Cyberattackers used and abused email in many creative, fruitful ways last year. They flooded inboxes with fearware. Took over accounts and manipulated companies' trust in their suppliers. Slipped malicious messages past standard validation checks. They treated domains like they were disposable; using a domain briefly, then discarding it before security tools could smack it with a bad reputation.

Yes, it was an exciting year for email attacks. But which attacks were the coolest of them all?

Dan Fein, director of email security products at Darktrace, gives us his favorites, detected by Darktrace's Antigena Email AI-powered email security tool. Here are the top four receiving that dubious honor:

1. Hidden in the Snow
Skiers hoping to escape quarantine could easily be tempted by messages offering deals to the slopes at Vail Resorts. And if so, they might have found themselves the victim of a clever credential theft scheme.

The phishing link inside the message appeared to send users to Vail Resorts, and then redirect them to Snow.com, the resort's legitimate partner company and booking service. That wasn't all it did though. 

 

Fein points to the "p1" parameter in the URL. The attacker actually sent the victim to a phony login page at s-ay.xyz. To further support the disguise, the phony login page was preloaded with the victim's email address in the "username" field. And because the URL is so long, even a security-savvy user who dutifully scrolled over the hyperlink to check its destination before clicking would probably have only seen a truncated URL, never seeing the suspicious parameter.

"This would go undetected [by most security tools] because vailresorts.com has a clean reputation." says Fein. "We think it's interesting because if you look at this link in a certain way you can detect this kind of stuff. You can recognize that it’s an unusual link, because there's a hidden redirect in there."

2. Sneaking by SPF
"Whenever we see validation checks like SPF or DKIM that say this message is being sent from infrastructure we expect it to be sent from," says Fein, “then our customers say ‘oh SPF passed, DKIM passed. Isn't [this message] good?' And then we think 'no.' You always want to put your guard up."

Case in point: a message purportedly from the target company's IT department, linking to a Microsoft Office form. It preloaded the user’s email address in the Office 365 login page. The message passed SPF and DKIM validation checks.

Yet, Darktrace detected that it was likely sent from a compromised account. (And not just because the message contained strange syntax like the phrase "Click Password.")  

"[Antigena looks] for context," says Fein. He cites some examples of potentially anomalous context. "So, all of a sudden what normally comes from Outlook comes from a Python script. Just looking at user agents of an email; things that start to look automated. Or the infrastructure – although it's coming from Outlook, maybe it's being sent from [an unexpected country]."

3. An Unappetizing Link
Here's another example of a message claiming to be from the IT helpdesk that was no help at all. The attacker slid some non-Latin characters into the sender name. (Some attackers are now using hidden text in which they put invisible characters between the letters of an email so it doesn't trigger email defenses with phrases like "helpdesk" or "password expired.")

The message itself was innocuous, says Fein. The document attached to that message was relatively tame too. But a hyperlink inside that document...that was a problem. It posed as a link to an online restaurant reservation booking service, but in fact was malicious.

Fein says that Darktrace can perform a number of targeted actions, depending upon the severity of a risk: redirect a suspicious link, snip the link entirely, strip the attachment from the message, or block the message, for example.

"So just because an attachment has a suspicious 'something' in it doesn't mean you have to hold [the attachment] back entirely," he says, "but in this case, it did."

4. Email Gateway Spoof
Another favorite of Fein's hit close to home for him, because the attacker spoofed an email security company. The message came from a spoofed Cisco Ironport address and claimed to contain an archive file.  

There was no existing relationship between the sender and recipient – strike one against this message --but another anomaly also raised alarm bells. The collection of recipients themselves was identified by Darktrace's AI as highly unusual.

As Fein explains, some groups of users are more likely to be on a message thread together, and others aren't; some are expected to receive external messages from unknown senders, and others aren't. So, if a message is sent to a random sprinkling of employees from the human resources department, the development team, and other unrelated lines of business, for example, Darktrace's technology will take notice.

The email attacks that impressed (and distressed) Fein this year are these that used clever techniques to give target recipients – and their security tools – more reasons to trust them.

"They use some company that you might recognize. Or recognize their infrastructure. … Or you receive an email from someone you know and then you think you're logging in to respond to them," he says. "It all just adds credibility to the fact that what you're about to do makes sense."

The Edge is Dark Reading's home for features, threat data and in-depth perspectives on cybersecurity. View Full Bio

Comment  | 
Print  | 
More Insights
//Comments
Newest First  |  Oldest First  |  Threaded View
Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Incorporating a Prevention Mindset into Threat Detection and Response
Threat detection and response systems, by definition, are reactive because they have to wait for damage to be done before finding the attack. With a prevention-mindset, security teams can proactively anticipate the attacker's next move, rather than reacting to specific threats or trying to detect the latest techniques in real-time. The report covers areas enterprises should focus on: What positive response looks like. Improving security hygiene. Combining preventive actions with red team efforts.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2022-1883
PUBLISHED: 2022-05-25
SQL Injection in GitHub repository camptocamp/terraboard prior to 2.2.0.
CVE-2022-21951
PUBLISHED: 2022-05-25
A Missing Encryption of Sensitive Data vulnerability in SUSE Rancher, Rancher allows attackers on the network to read and change network data due to missing encryption of data transmitted via the network when a cluster is created from an RKE template with the CNI value overridden This issue affects:...
CVE-2022-1815
PUBLISHED: 2022-05-25
Exposure of Sensitive Information to an Unauthorized Actor in GitHub repository jgraph/drawio prior to 18.1.2.
CVE-2022-29405
PUBLISHED: 2022-05-25
In Apache Archiva, any registered user can reset password for any users. This is fixed in Archiva 2.2.8
CVE-2022-29349
PUBLISHED: 2022-05-25
kkFileView v4.0.0 was discovered to contain a cross-site scripting (XSS) vulnerability via the url parameter at /controller/OnlinePreviewController.java.