Darktrace email finds: IT impersonation attack

Dan Fein, Director of Email Security Products | Friday July 24, 2020

Type of attack: Payload delivery; Impersonation

Organization: Charity, US

Time and date: 2020-06-11 07:05 UTC

Mailboxes: <5000

Cyber-criminals often profit from a climate of uncertainty and fear, as it can make people act in haste and ignore warning signs. COVID-19 has created an environment perfect for scammers looking to exploit human error. Spoofing IT departments’ emails is a popular method of social engineering in email attacks. It relies on employees’ tendency to follow orders from authority figures with little or no hesitation. This is further compounded by the increase in work from home and greater reliance on remote interaction with IT support.

100%
Thu Jun 11 2020, 16:49:20
From:holdingsinc.org – IT <[email protected]>
Recipient:<[email protected]>
11th of June, 2020
Email Tags
Suspicious Link
New Contact
Actions on Email
Lock Link
Move to Junk

Figure 1: An interactive snapshot of Antigena Email’s user interface

Sender information

The attacker had disguised the address field to resemble the organization’s IT department.

Apparent motive

The emails contained a link which Darktrace’s AI identified as an 100% rare domain, indicating no devices across the organization had ever previously accessed it. The links also contained the recipients’ email addresses, suggesting that it led to a fake login page intending to trick an employee into inputting sensitive data.

Figure 2: The anomalous link in question

Antigena Email’s actions

Delivery action: Hold message

Antigena Email took its strongest action on this incoming email campaign, preventing the emails from reaching any recipients.

Why did this attack bypass other email security solutions?

Spoofing involves fixing some visual aspect of the email headers. Attackers use this technique to make an email appear as if it came from someone recognizable, such as an IT department or company executive. In this case it was enough to fool the existing security solutions, and could have fooled a recipient into clicking the link and entering their credentials had Antigena Email not been installed.

Dan Fein

Based in New York, Dan is the Director of Email Security Products for the Americas. He joined Darktrace’s technical team in 2015, helping customers quickly achieve a complete and granular understanding of Darktrace’s world-leading Cyber AI Platform and products. Dan has a particular focus on Antigena Email, ensuring that it is effectively deployed in complex digital environments, and works closely with the development, marketing, sales, and technical teams. Dan holds a Bachelor’s degree in Computer Science from New York University.