Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


End of Bibblio RCM includes -->
03:30 PM
Edge Editors
Edge Editors

4 Intriguing Email Attacks Detected by AI in 2020

Here's to the sneakiest of the sneaky. These clever phishing messages -- that standard validation measures often missed -- deserve proper dishonor. (Sponsored)

(image by Abraham Peña)
(image by Abraham Peña)

Cyberattackers used and abused email in many creative, fruitful ways last year. They flooded inboxes with fearware. Took over accounts and manipulated companies' trust in their suppliers. Slipped malicious messages past standard validation checks. They treated domains like they were disposable; using a domain briefly, then discarding it before security tools could smack it with a bad reputation.

Yes, it was an exciting year for email attacks. But which attacks were the coolest of them all?

Dan Fein, director of email security products at Darktrace, gives us his favorites, detected by Darktrace's Antigena Email AI-powered email security tool. Here are the top four receiving that dubious honor:

1. Hidden in the Snow
Skiers hoping to escape quarantine could easily be tempted by messages offering deals to the slopes at Vail Resorts. And if so, they might have found themselves the victim of a clever credential theft scheme.

The phishing link inside the message appeared to send users to Vail Resorts, and then redirect them to Snow.com, the resort's legitimate partner company and booking service. That wasn't all it did though. 


Fein points to the "p1" parameter in the URL. The attacker actually sent the victim to a phony login page at s-ay.xyz. To further support the disguise, the phony login page was preloaded with the victim's email address in the "username" field. And because the URL is so long, even a security-savvy user who dutifully scrolled over the hyperlink to check its destination before clicking would probably have only seen a truncated URL, never seeing the suspicious parameter.

"This would go undetected [by most security tools] because vailresorts.com has a clean reputation." says Fein. "We think it's interesting because if you look at this link in a certain way you can detect this kind of stuff. You can recognize that it’s an unusual link, because there's a hidden redirect in there."

2. Sneaking by SPF
"Whenever we see validation checks like SPF or DKIM that say this message is being sent from infrastructure we expect it to be sent from," says Fein, “then our customers say ‘oh SPF passed, DKIM passed. Isn't [this message] good?' And then we think 'no.' You always want to put your guard up."

Case in point: a message purportedly from the target company's IT department, linking to a Microsoft Office form. It preloaded the user’s email address in the Office 365 login page. The message passed SPF and DKIM validation checks.

Yet, Darktrace detected that it was likely sent from a compromised account. (And not just because the message contained strange syntax like the phrase "Click Password.")  

"[Antigena looks] for context," says Fein. He cites some examples of potentially anomalous context. "So, all of a sudden what normally comes from Outlook comes from a Python script. Just looking at user agents of an email; things that start to look automated. Or the infrastructure – although it's coming from Outlook, maybe it's being sent from [an unexpected country]."

3. An Unappetizing Link
Here's another example of a message claiming to be from the IT helpdesk that was no help at all. The attacker slid some non-Latin characters into the sender name. (Some attackers are now using hidden text in which they put invisible characters between the letters of an email so it doesn't trigger email defenses with phrases like "helpdesk" or "password expired.")

The message itself was innocuous, says Fein. The document attached to that message was relatively tame too. But a hyperlink inside that document...that was a problem. It posed as a link to an online restaurant reservation booking service, but in fact was malicious.

Fein says that Darktrace can perform a number of targeted actions, depending upon the severity of a risk: redirect a suspicious link, snip the link entirely, strip the attachment from the message, or block the message, for example.

"So just because an attachment has a suspicious 'something' in it doesn't mean you have to hold [the attachment] back entirely," he says, "but in this case, it did."

4. Email Gateway Spoof
Another favorite of Fein's hit close to home for him, because the attacker spoofed an email security company. The message came from a spoofed Cisco Ironport address and claimed to contain an archive file.  

There was no existing relationship between the sender and recipient – strike one against this message --but another anomaly also raised alarm bells. The collection of recipients themselves was identified by Darktrace's AI as highly unusual.

As Fein explains, some groups of users are more likely to be on a message thread together, and others aren't; some are expected to receive external messages from unknown senders, and others aren't. So, if a message is sent to a random sprinkling of employees from the human resources department, the development team, and other unrelated lines of business, for example, Darktrace's technology will take notice.

The email attacks that impressed (and distressed) Fein this year are these that used clever techniques to give target recipients – and their security tools – more reasons to trust them.

"They use some company that you might recognize. Or recognize their infrastructure. … Or you receive an email from someone you know and then you think you're logging in to respond to them," he says. "It all just adds credibility to the fact that what you're about to do makes sense."

The Edge is Dark Reading's home for features, threat data and in-depth perspectives on cybersecurity. View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
Everything You Need to Know About DNS Attacks
It's important to understand DNS, potential attacks against it, and the tools and techniques required to defend DNS infrastructure. This report answers all the questions you were afraid to ask. Domain Name Service (DNS) is a critical part of any organization's digital infrastructure, but it's also one of the least understood. DNS is designed to be invisible to business professionals, IT stakeholders, and many security professionals, but DNS's threat surface is large and widely targeted. Attackers are causing a great deal of damage with an array of attacks such as denial of service, DNS cache poisoning, DNS hijackin, DNS tunneling, and DNS dangling. They are using DNS infrastructure to take control of inbound and outbound communications and preventing users from accessing the applications they are looking for. To stop attacks on DNS, security teams need to shore up the organization's security hygiene around DNS infrastructure, implement controls such as DNSSEC, and monitor DNS traffic
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2023-05-26
Craft is a CMS for creating custom digital experiences. Cross site scripting (XSS) can be triggered by review volumes. This issue has been fixed in version 4.4.7.
PUBLISHED: 2023-05-26
Django-SES is a drop-in mail backend for Django. The django_ses library implements a mail backend for Django using AWS Simple Email Service. The library exports the `SESEventWebhookView class` intended to receive signed requests from AWS to handle email bounces, subscriptions, etc. These requests ar...
PUBLISHED: 2023-05-26
Highlight is an open source, full-stack monitoring platform. Highlight may record passwords on customer deployments when a password html input is switched to `type="text"` via a javascript "Show Password" button. This differs from the expected behavior which always obfuscates `ty...
PUBLISHED: 2023-05-26
Craft is a CMS for creating custom digital experiences on the web.The platform does not filter input and encode output in Quick Post validation error message, which can deliver an XSS payload. Old CVE fixed the XSS in label HTML but didn’t fix it when clicking save. This issue was...
PUBLISHED: 2023-05-26
GDSDB infinite loop in Wireshark 4.0.0 to 4.0.5 and 3.6.0 to 3.6.13 allows denial of service via packet injection or crafted capture file