Darktrace email finds: Fake ShareFile notification from compromised supplier account

Dan Fein, Director of Email Security Products | Monday August 10, 2020

Type of attack: Spoofing

Organization: Construction, EMEA

Time and date: 2020-06-18 08:05 UTC

Mailboxes: <1000

100%
Thu Jun 18 2020, 04:05:52
From:share_file® <[email protected]>
Recipient:<[email protected]>
Notification! Acc ID: 2749742
Email Tags
Suspicious Link
Actions on Email
Move to Junk
Hold Message
Double Lock Link

Figure 1: An interactive snapshot of Antigena Email’s user interface

Antigena Email recently detected a malicious email sent from a legitimate corporate email account – presumably that of a supplier – that had been subject to an account takeover. The email claimed to be a ShareFile notification, but contained links to malicious domains previously associated with phishing attacks. These webpages are commonly designed to trick users into downloading malware or leaking sensitive corporate information.

Figure 2: A subset of the breached models and associated actions

Why was this attack effective?

This attack combined an account takeover with a typical impersonation attack. At first glance, all of the email’s elements appear legitimate, from the ShareFile notification, to the genuine and trusted corporate email address, to the subject line.

The email contained an additional misleading link featuring an email address seemingly associated with the recipient, but that also redirected a user to a malicious webpage. Believing that the email contained genuine ShareFile content, given past legitimate business interactions with the supplier, a user may have easily clicked on one of the malicious links and entered sensitive information on the phishing page.

Sender information

The sender’s name was listed as “share_file®”, but the email address was associated with a compromised account from a Ukrainian electronic components company.

Why did this attack bypass other email security solutions?

As the email came from a genuine corporation and trusted supplier known to the organization, it would have passed the Sender Policy Framework (SPF) authentication technique and been considered legitimate. The fact that the account sending the email had not yet been reported as compromised meant that the email was not flagged as spam by traditional security solutions, and would have been able to distribute malicious content to employees.

AI email security that evolves with you

Antigena Email recognized that the suspicious link in the email fell outside of both the sender and recipient’s normal ‘patterns of life.’ The AI took the strongest possible action, preventing the targets from engaging with the email and malicious link contained within. Compromised accounts can be some of the most difficult attacks to detect, because of the trusted relationships that exist with other organizations. This attack demonstrates the power of AI email security that continuously evolves with a business.

Thanks to Darktrace analyst Lucas O’Donohue for his insights on the above threat find.

For an analysis of 13 more email attacks, read the Email Security Threat Report 2020

Dan Fein

Based in New York, Dan is the Director of Email Security Products for the Americas. He joined Darktrace’s technical team in 2015, helping customers quickly achieve a complete and granular understanding of Darktrace’s world-leading Cyber AI Platform and products. Dan has a particular focus on Antigena Email, ensuring that it is effectively deployed in complex digital environments, and works closely with the development, marketing, sales, and technical teams. Dan holds a Bachelor’s degree in Computer Science from New York University.