Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


03:30 PM
Edge Editors
Edge Editors

4 Intriguing Email Attacks Detected by AI in 2020

Here's to the sneakiest of the sneaky. These clever phishing messages -- that standard validation measures often missed -- deserve proper dishonor. (Sponsored)

(image by Abraham Peña)
(image by Abraham Peña)

Cyberattackers used and abused email in many creative, fruitful ways last year. They flooded inboxes with fearware. Took over accounts and manipulated companies' trust in their suppliers. Slipped malicious messages past standard validation checks. They treated domains like they were disposable; using a domain briefly, then discarding it before security tools could smack it with a bad reputation.

Yes, it was an exciting year for email attacks. But which attacks were the coolest of them all?

Dan Fein, director of email security products at Darktrace, gives us his favorites, detected by Darktrace's Antigena Email AI-powered email security tool. Here are the top four receiving that dubious honor:

1. Hidden in the Snow
Skiers hoping to escape quarantine could easily be tempted by messages offering deals to the slopes at Vail Resorts. And if so, they might have found themselves the victim of a clever credential theft scheme.

The phishing link inside the message appeared to send users to Vail Resorts, and then redirect them to Snow.com, the resort's legitimate partner company and booking service. That wasn't all it did though. 


Fein points to the "p1" parameter in the URL. The attacker actually sent the victim to a phony login page at s-ay.xyz. To further support the disguise, the phony login page was preloaded with the victim's email address in the "username" field. And because the URL is so long, even a security-savvy user who dutifully scrolled over the hyperlink to check its destination before clicking would probably have only seen a truncated URL, never seeing the suspicious parameter.

"This would go undetected [by most security tools] because vailresorts.com has a clean reputation." says Fein. "We think it's interesting because if you look at this link in a certain way you can detect this kind of stuff. You can recognize that it’s an unusual link, because there's a hidden redirect in there."

2. Sneaking by SPF
"Whenever we see validation checks like SPF or DKIM that say this message is being sent from infrastructure we expect it to be sent from," says Fein, “then our customers say ‘oh SPF passed, DKIM passed. Isn't [this message] good?' And then we think 'no.' You always want to put your guard up."

Case in point: a message purportedly from the target company's IT department, linking to a Microsoft Office form. It preloaded the user’s email address in the Office 365 login page. The message passed SPF and DKIM validation checks.

Yet, Darktrace detected that it was likely sent from a compromised account. (And not just because the message contained strange syntax like the phrase "Click Password.")  

"[Antigena looks] for context," says Fein. He cites some examples of potentially anomalous context. "So, all of a sudden what normally comes from Outlook comes from a Python script. Just looking at user agents of an email; things that start to look automated. Or the infrastructure – although it's coming from Outlook, maybe it's being sent from [an unexpected country]."

3. An Unappetizing Link
Here's another example of a message claiming to be from the IT helpdesk that was no help at all. The attacker slid some non-Latin characters into the sender name. (Some attackers are now using hidden text in which they put invisible characters between the letters of an email so it doesn't trigger email defenses with phrases like "helpdesk" or "password expired.")

The message itself was innocuous, says Fein. The document attached to that message was relatively tame too. But a hyperlink inside that document...that was a problem. It posed as a link to an online restaurant reservation booking service, but in fact was malicious.

Fein says that Darktrace can perform a number of targeted actions, depending upon the severity of a risk: redirect a suspicious link, snip the link entirely, strip the attachment from the message, or block the message, for example.

"So just because an attachment has a suspicious 'something' in it doesn't mean you have to hold [the attachment] back entirely," he says, "but in this case, it did."

4. Email Gateway Spoof
Another favorite of Fein's hit close to home for him, because the attacker spoofed an email security company. The message came from a spoofed Cisco Ironport address and claimed to contain an archive file.  

There was no existing relationship between the sender and recipient – strike one against this message --but another anomaly also raised alarm bells. The collection of recipients themselves was identified by Darktrace's AI as highly unusual.

As Fein explains, some groups of users are more likely to be on a message thread together, and others aren't; some are expected to receive external messages from unknown senders, and others aren't. So, if a message is sent to a random sprinkling of employees from the human resources department, the development team, and other unrelated lines of business, for example, Darktrace's technology will take notice.

The email attacks that impressed (and distressed) Fein this year are these that used clever techniques to give target recipients – and their security tools – more reasons to trust them.

"They use some company that you might recognize. Or recognize their infrastructure. … Or you receive an email from someone you know and then you think you're logging in to respond to them," he says. "It all just adds credibility to the fact that what you're about to do makes sense."

The Edge is Dark Reading's home for features, threat data and in-depth perspectives on cybersecurity. View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Former CISA Director Chris Krebs Discusses Risk Management & Threat Intel
Kelly Sheridan, Staff Editor, Dark Reading,  2/23/2021
Security + Fraud Protection: Your One-Two Punch Against Cyberattacks
Joshua Goldfarb, Director of Product Management at F5,  2/23/2021
Cybercrime Groups More Prolific, Focus on Healthcare in 2020
Robert Lemos, Contributing Writer,  2/22/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Building the SOC of the Future
Building the SOC of the Future
Digital transformation, cloud-focused attacks, and a worldwide pandemic. The past year has changed the way business works and the way security teams operate. There is no going back.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-02-27
SerComm AG Combo VD625 AGSOT_2.1.0 devices allow CRLF injection (for HTTP header injection) in the download function via the Content-Disposition header.
PUBLISHED: 2021-02-27
An issue was discovered in through SaltStack Salt before 3002.5. salt.modules.cmdmod can log credentials to the info or error log level.
PUBLISHED: 2021-02-27
In SaltStack Salt before 3002.5, eauth tokens can be used once after expiration. (They might be used to run command against the salt master or minions.)
PUBLISHED: 2021-02-27
An issue was discovered in SaltStack Salt before 3002.5. Sending crafted web requests to the Salt API can result in salt.utils.thin.gen_thin() command injection because of different handling of single versus double quotes. This is related to salt/utils/thin.py.
PUBLISHED: 2021-02-27
i-doit before 1.16.0 is affected by Stored Cross-Site Scripting (XSS) issues that could allow remote authenticated attackers to inject arbitrary web script or HTML via C__MONITORING__CONFIG__TITLE, SM2__C__MONITORING__CONFIG__TITLE, C__MONITORING__CONFIG__PATH, SM2__C__MONITORING__CONFIG__PATH, C__M...