There are many email security solutions available in the market today, yet organizations still see phishing and malware reach users. In some situations a SOC team may get a report sent by an employee. However, when the payload has reached the users’ computer and has been opened, what normally happens is an alert coming from the endpoint solution. Even worse, the organization becomes compromised – data can be stolen or  encrypted, and business processes are in danger of major disruption. 

Here is a list of the most-used techniques that hackers choose to bypass traditional email security solutions.

Hosting malware on file-sharing services

Cloud storage and data sharing applications such as OneDrive, Google Drive, SharePoint are creating an increasing number of security blindspots for hackers to leverage.

Many file-sharing services offer free packages, which let an attacker upload a payload for free. These services work by using link sharing, and the link then comes from their domain which has a good reputation. The attacker crafts an email and puts the link inside an email. 

Why is this so difficult to detect?

Traditional solutions scan the URL. In these cases, there is nothing suspicious inside, as the link will lead to the legit website. The site itself is safe but when the user clicks on a “download” button the malicious file is activated and your user is compromised.

Phishing scams avoid email security with login forms hidden inside local web pages

In this case, the hacker leverages a login page inside a local html page, which is attached to the email instead of hosting the login page online. And when you open the HTML attachment, any JavaScript inside the HTML will be allowed to run by default by your browser. The page is rendered locally on the victim’s computer, and only after credentials are entered  into the fake login page, a JavaScript code (usually obfuscated) uploads this information online straight to the attackers’ hands.

Why is this difficult to detect?

  • The email does not contain an embedded  link that could be unpacked and scanned. All engines based on reputation (URL reputation, domain legitimacy and so on) are not valid. Also solutions such as URL rewriting in Office365 will not help.
  • The URL in the address bar seems as if it is harmless, with no website name.

Spotting Spear Phishing

Attackers try to trick users into thinking they landed on a well-known internal company portal. The attacker identifies a third-party service that a company uses, and mimics it with fake versions of it.

Why is this difficult to detect?

  • Employees expect to see emails from these sources as internal only, and will not pay attention to signs of phishing.
  • Some company portals are accessed from the internet—making hackers’ lives even easier to spoof them. 

In the below example, we can see a fake Okta login page. It contains all visual elements and the company’s logo (and it’s even SSL encrypted), just waiting for the user to enter his or her credentials (an action done several times a day). A large portion of phishing campaigns sent to companies are actually an impersonation of their own brand.

ATO Detection

Account takeover benefits from the account’s credibility and history with their own company and external organizations that they do business with.  A fraudster who has access to an account can cause tremendous damage.

Why is this difficult to detect?

  • With ATO, the email is coming straight from the vendor’s IP and the actual sender’s mailbox. 
  • The attacker will read the email communications, and wait for the perfect time to inject a message for fund transfer. He will usually reply back with a signature that’s identical to the vendor’s and will ask for you to transfer money to other bank accounts.

Blacklisting email security vendor IP addresses

Hackers blacklist email security vendors’ IP addresses. They create phishing websites, being aware that their target is highly fortified, and they assume email security solutions will scan their website before it will reach the end user. 

Why is this difficult to detect?

By fingerprinting the different email security solutions, a hacker can understand what the IP addresses are of the email security provider services. Once fingerprinted, they can easily blacklist that IP.

Recommendations

  1. When selecting an email security solution, an organization should consider a service that identifies all threats before they arrive in a user’s inbox. The ideal solution should provide various detection layers to identify advanced phishing attacks as well as ATO, malware, 0-days and more.

Look for services that:

  • Dynamically scan 100% of emails and their embedded content before they arrive to the user’s inbox without affecting user experience
  • Use technology to deterministically provide verdicts on malware and not rely on behavioral analysis
  • Leverage image analysis Image recognition of URLs
  • Can detect account takeover detection

  1. Educate your employees to always check the authenticity of the sender by checking if the display name and the email address match in order to decrease the chance of a successful spoofing attempt

  1. Avoid clicking links if you are not sure about them. If you click a link from an email, inspect the website even if it seems to display non-malicious content.

  1. Before giving away details, always check if the domain is known to you and that the website is protected by SSL (HTTPS and not HTTP).

This article originally appeared in Cyber Defense Magazine in the December 2021 edition.