Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


03:30 PM
Edge Editors
Edge Editors

4 Intriguing Email Attacks Detected by AI in 2020

Here's to the sneakiest of the sneaky. These clever phishing messages -- that standard validation measures often missed -- deserve proper dishonor. (Sponsored)

(image by Abraham Peña)
(image by Abraham Peña)

Cyberattackers used and abused email in many creative, fruitful ways last year. They flooded inboxes with fearware. Took over accounts and manipulated companies' trust in their suppliers. Slipped malicious messages past standard validation checks. They treated domains like they were disposable; using a domain briefly, then discarding it before security tools could smack it with a bad reputation.

Yes, it was an exciting year for email attacks. But which attacks were the coolest of them all?

Dan Fein, director of email security products at Darktrace, gives us his favorites, detected by Darktrace's Antigena Email AI-powered email security tool. Here are the top four receiving that dubious honor:

1. Hidden in the Snow
Skiers hoping to escape quarantine could easily be tempted by messages offering deals to the slopes at Vail Resorts. And if so, they might have found themselves the victim of a clever credential theft scheme.

The phishing link inside the message appeared to send users to Vail Resorts, and then redirect them to Snow.com, the resort's legitimate partner company and booking service. That wasn't all it did though. 


Fein points to the "p1" parameter in the URL. The attacker actually sent the victim to a phony login page at s-ay.xyz. To further support the disguise, the phony login page was preloaded with the victim's email address in the "username" field. And because the URL is so long, even a security-savvy user who dutifully scrolled over the hyperlink to check its destination before clicking would probably have only seen a truncated URL, never seeing the suspicious parameter.

"This would go undetected [by most security tools] because vailresorts.com has a clean reputation." says Fein. "We think it's interesting because if you look at this link in a certain way you can detect this kind of stuff. You can recognize that it’s an unusual link, because there's a hidden redirect in there."

2. Sneaking by SPF
"Whenever we see validation checks like SPF or DKIM that say this message is being sent from infrastructure we expect it to be sent from," says Fein, “then our customers say ‘oh SPF passed, DKIM passed. Isn't [this message] good?' And then we think 'no.' You always want to put your guard up."

Case in point: a message purportedly from the target company's IT department, linking to a Microsoft Office form. It preloaded the user’s email address in the Office 365 login page. The message passed SPF and DKIM validation checks.

Yet, Darktrace detected that it was likely sent from a compromised account. (And not just because the message contained strange syntax like the phrase "Click Password.")  

"[Antigena looks] for context," says Fein. He cites some examples of potentially anomalous context. "So, all of a sudden what normally comes from Outlook comes from a Python script. Just looking at user agents of an email; things that start to look automated. Or the infrastructure – although it's coming from Outlook, maybe it's being sent from [an unexpected country]."

3. An Unappetizing Link
Here's another example of a message claiming to be from the IT helpdesk that was no help at all. The attacker slid some non-Latin characters into the sender name. (Some attackers are now using hidden text in which they put invisible characters between the letters of an email so it doesn't trigger email defenses with phrases like "helpdesk" or "password expired.")

The message itself was innocuous, says Fein. The document attached to that message was relatively tame too. But a hyperlink inside that document...that was a problem. It posed as a link to an online restaurant reservation booking service, but in fact was malicious.

Fein says that Darktrace can perform a number of targeted actions, depending upon the severity of a risk: redirect a suspicious link, snip the link entirely, strip the attachment from the message, or block the message, for example.

"So just because an attachment has a suspicious 'something' in it doesn't mean you have to hold [the attachment] back entirely," he says, "but in this case, it did."

4. Email Gateway Spoof
Another favorite of Fein's hit close to home for him, because the attacker spoofed an email security company. The message came from a spoofed Cisco Ironport address and claimed to contain an archive file.  

There was no existing relationship between the sender and recipient – strike one against this message --but another anomaly also raised alarm bells. The collection of recipients themselves was identified by Darktrace's AI as highly unusual.

As Fein explains, some groups of users are more likely to be on a message thread together, and others aren't; some are expected to receive external messages from unknown senders, and others aren't. So, if a message is sent to a random sprinkling of employees from the human resources department, the development team, and other unrelated lines of business, for example, Darktrace's technology will take notice.

The email attacks that impressed (and distressed) Fein this year are these that used clever techniques to give target recipients – and their security tools – more reasons to trust them.

"They use some company that you might recognize. Or recognize their infrastructure. … Or you receive an email from someone you know and then you think you're logging in to respond to them," he says. "It all just adds credibility to the fact that what you're about to do makes sense."

The Edge is Dark Reading's home for features, threat data and in-depth perspectives on cybersecurity. View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Oldest First  |  Newest First  |  Threaded View
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
How Data Breaches Affect the Enterprise
Data breaches continue to cause negative outcomes for companies worldwide. However, many organizations report that major impacts have declined significantly compared with a year ago, suggesting that many have gotten better at containing breach fallout. Download Dark Reading's Report "How Data Breaches Affect the Enterprise" to delve more into this timely topic.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-11-27
janus-gateway is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
PUBLISHED: 2021-11-26
This affects all versions of package html-to-csv. When there is a formula embedded in a HTML page, it gets accepted without any validation and the same would be pushed while converting it into a CSV file. Through this a malicious actor can embed or generate a malicious link or execute commands via C...
PUBLISHED: 2021-11-26
@joeattardi/emoji-button is a Vanilla JavaScript emoji picker component. In affected versions there are two vectors for XSS attacks: a URL for a custom emoji, and an i18n string. In both of these cases, a value can be crafted such that it can insert a `script` tag into the page and execute malicious...
PUBLISHED: 2021-11-26
Backstage is an open platform for building developer portals. In affected versions the auth-backend plugin allows a malicious actor to trick another user into visiting a vulnerable URL that executes an XSS attack. This attack can potentially allow the attacker to exfiltrate access tokens or other se...
PUBLISHED: 2021-11-26
There is a Potential Zip Slip Vulnerability and OS Command Injection Vulnerability on the management system of baserCMS. Users with permissions to upload files may upload crafted zip files which may execute arbitrary commands on the host operating system. This is a vulnerability that needs to be add...