Darktrace email finds: Impersonation attack of board member targets Gmail account

Mariana Pereira, Director of Email Security Products | Tuesday July 7, 2020

Email and other communication platforms rely on an assumption of trust that, given the increased reliance on communication platforms during the pandemic, has never been under greater scrutiny. Email’s very efficacy is dependent on the fact that employees trust the source of the requests and the information landing in their inbox every day. This is especially true when emails come from a known figure, such as a trusted supplier, adviser, partner, or executive, even one who isn’t a frequent correspondent.

It is for this reason that impersonation attacks are so dangerous, and why, given their success rates, they’re being used even more by cyber-criminals. Recently, Darktrace saw three related email attacks target high-profile individuals at a financial services organization, each sent from three separate email accounts impersonating the CEO, the CFO, and a board member.

It is not unusual for board members to email from addresses that are external to the company they serve on the board of. An investor might choose to use their firm’s account or their personal email. Many organizations have a bio of their board members and executives publicly available on their websites, including references to other activities they are involved with. This easily provides contextually relevant information to would-be attackers. For these reasons, impersonation attacks are both highly tailored and highly effective.

The phishing attacks that slipped the hook

This attack was detected in the Gmail environment of an Antigena Email customer. Over the course of a single week, three malicious emails bypassed the existing email security tools in place and attempted to solicit sensitive information from three senior staff members. Each was sent on a different day, at different times, from different addresses, but the ASN address revealed that all three seemed to originate from the same source. This suggests that the three emails were launched by the same attacker attempting to impersonate a few key users to gain access to company details.

Figure 1: An overview of the three anomalous emails identified within the same week

Looking into the most recent email, we see Antigena Email’s analysis of the threat. This email appears to be a targeted spoofing or solicitation attack imitating a board member and targeting a high-ranking individual in the finance department.

We can see from the 86% anomaly score that Antigena Email understood this email as being significantly unusual. The tags summarize the main findings: the email showed signs of solicitation, but interestingly did not appear to contain attachments or links. This is a common method that attackers use to bypass legacy tools that rely on access and deny lists, known attacks, rules, and signatures to spot and stop email attacks. With no malicious links for legacy tools to flag, these attacks easily slip past traditional security solutions.

86%
Fri Jul 03 2020, 17:24:05
From:David Smith <[email protected]>
Recipient:Vanessa Milanez <[email protected]>
[no subject]
Email Tags
Solicitation
No Association
Freemail
New Contact
Actions on Email
Move to Junk

Figure 2: The email tags and actions associated with one of the offending emails

Catching the subtle and stealthy with AI

This was clearly a well-thought-out attack. The varied senders, the inconsistency in the emails, and the gaps of time between the messages suggests that this was an attacker who was taking their time. Rather than relying on a ‘spray and pray’ approach – sending out thousands of emails in the hope that one or two users might engage – they spent time researching the organization, crafting highly-tailored, well-written messages in an attempt to gain a foothold.

The attacker presumably believed that this slow and stealthy strategy could have paid off with high rewards, targeting only high-profile individuals with the attacks. And without Darktrace’s self-learning email security technology actively analyzing every email in real time, this approach may have been successful.

Indeed, these well-researched, carefully-crafted emails would be nearly impossible for security teams to identify with legacy tools alone. Luckily, by deploying Cyber AI across email, which can learn the patterns of normal communication and behavior for every employee across a company, organizations can detect and prevent these kinds of stealthy attacks that are so often hidden in the noise of email communications.

For an analysis of 13 more email attacks, read the Email Security Threat Report 2020

Mariana Pereira

Mariana is the Director of Email Security Products at Darktrace, with a primary focus on the capabilities of AI cyber defenses against email-borne attacks. Mariana works closely with the development, analyst, and marketing teams to advise technical and non-technical audiences on how best to augment cyber resilience within the email domain, and how to implement AI technology as a means of defense. She speaks regularly at international events, with a specialism in presenting on sophisticated, AI-powered email attacks. She holds an MBA from the University of Chicago, and speaks several languages including French, Italian, and Portuguese.