BEC attacks are on the rise. Over the last several months, our system has been identifying BEC attempts against our clients on an hourly basis. In this blog we see that attackers are now going beyond spoofing known software vendors like Microsoft by even going after the domains of known email security vendors.

The attack described below is comprised of two layers: spoofing the user’s email address and a phishing attempt to capture Office 365 log-in credentials.

How We Identified this Email Spoofing Attack

Perception Point intercepted a Microsoft phishing attempt which was also concealed by spoofing, a BEC-oriented attack. The spoofed address and the cover email were related to Mimecast, a well-known email security vendor. This example is only one of many Mimecast related attacks we’ve seen targeting our customers and their key employees.

As you can see, the email was sent from a fake “postmaster” address. The attacker only changed the display name, hoping the victim will fall for it and click the “Personal Portal” link. Once the user clicks on the URL, a Microsoft log-in page appears.

Perception Point detected this attack with two different engines. First, our BEC engines identified the attempt to spoof the domain name. Second, our propriety image recognition engine detected the attempt to steal the credentials of the end user.

Recommendations for protecting against an email spoofing attack:

  1. Employ multiple layers of detection: in this example, the attack was detected by two different layers, both acting as fail-safe mechanisms to one another.
  2. Train your employees to be aware of key attack techniques, including domain spoofing.
  3. Remember that phishing comes in many shapes (e.g. different phished domains, different text) and sizes (spear phishing or mass campaigns). You need to utilize a system that can detect all types of impersonation-based attacks.