(image by Abraham Peña)

Cyberattackers used and abused email in many creative, fruitful ways last year. They flooded inboxes with fearware. Took over accounts and manipulated companies' trust in their suppliers. Slipped malicious messages past standard validation checks. They treated domains like they were disposable; using a domain briefly, then discarding it before security tools could smack it with a bad reputation.

Yes, it was an exciting year for email attacks. But which attacks were the coolest of them all?

Dan Fein, director of email security products at Darktrace, gives us his favorites, detected by Darktrace's Antigena Email AI-powered email security tool. Here are the top four receiving that dubious honor:

1. Hidden in the Snow
Skiers hoping to escape quarantine could easily be tempted by messages offering deals to the slopes at Vail Resorts. And if so, they might have found themselves the victim of a clever credential theft scheme.

The phishing link inside the message appeared to send users to Vail Resorts, and then redirect them to Snow.com, the resort's legitimate partner company and booking service. That wasn't all it did though. 

Fein points to the "p1" parameter in the URL. The attacker actually sent the victim to a phony login page at s-ay.xyz. To further support the disguise, the phony login page was preloaded with the victim's email address in the "username" field. And because the URL is so long, even a security-savvy user who dutifully scrolled over the hyperlink to check its destination before clicking would probably have only seen a truncated URL, never seeing the suspicious parameter.

"This would go undetected [by most security tools] because vailresorts.com has a clean reputation." says Fein. "We think it's interesting because if you look at this link in a certain way you can detect this kind of stuff. You can recognize that it’s an unusual link, because there's a hidden redirect in there."

2. Sneaking by SPF
"Whenever we see validation checks like SPF or DKIM that say this message is being sent from infrastructure we expect it to be sent from," says Fein, “then our customers say ‘oh SPF passed, DKIM passed. Isn't [this message] good?' And then we think 'no.' You always want to put your guard up."

Case in point: a message purportedly from the target company's IT department, linking to a Microsoft Office form. It preloaded the user’s email address in the Office 365 login page. The message passed SPF and DKIM validation checks.

Yet, Darktrace detected that it was likely sent from a compromised account. (And not just because the message contained strange syntax like the phrase "Click Password.")  

"[Antigena looks] for context," says Fein. He cites some examples of potentially anomalous context. "So, all of a sudden what normally comes from Outlook comes from a Python script. Just looking at user agents of an email; things that start to look automated. Or the infrastructure – although it's coming from Outlook, maybe it's being sent from [an unexpected country]."

3. An Unappetizing Link
Here's another example of a message claiming to be from the IT helpdesk that was no help at all. The attacker slid some non-Latin characters into the sender name. (Some attackers are now using hidden text in which they put invisible characters between the letters of an email so it doesn't trigger email defenses with phrases like "helpdesk" or "password expired.")

The message itself was innocuous, says Fein. The document attached to that message was relatively tame too. But a hyperlink inside that document...that was a problem. It posed as a link to an online restaurant reservation booking service, but in fact was malicious.

Fein says that Darktrace can perform a number of targeted actions, depending upon the severity of a risk: redirect a suspicious link, snip the link entirely, strip the attachment from the message, or block the message, for example.

"So just because an attachment has a suspicious 'something' in it doesn't mean you have to hold [the attachment] back entirely," he says, "but in this case, it did."

4. Email Gateway Spoof
Another favorite of Fein's hit close to home for him, because the attacker spoofed an email security company. The message came from a spoofed Cisco Ironport address and claimed to contain an archive file.  

There was no existing relationship between the sender and recipient – strike one against this message --but another anomaly also raised alarm bells. The collection of recipients themselves was identified by Darktrace's AI as highly unusual.

As Fein explains, some groups of users are more likely to be on a message thread together, and others aren't; some are expected to receive external messages from unknown senders, and others aren't. So, if a message is sent to a random sprinkling of employees from the human resources department, the development team, and other unrelated lines of business, for example, Darktrace's technology will take notice.

The email attacks that impressed (and distressed) Fein this year are these that used clever techniques to give target recipients – and their security tools – more reasons to trust them.

"They use some company that you might recognize. Or recognize their infrastructure. … Or you receive an email from someone you know and then you think you're logging in to respond to them," he says. "It all just adds credibility to the fact that what you're about to do makes sense."