Blog

Email

Threat Finds

Darktrace email finds: Impersonation attack of board member targets Gmail account

Darktrace email finds: Impersonation attack of board member targets Gmail accountDefault blog imageDefault blog image
07
Jul 2020
07
Jul 2020

Email and other communication platforms rely on an assumption of trust that, given the increased reliance on communication platforms during the pandemic, has never been under greater scrutiny. Email’s very efficacy is dependent on the fact that employees trust the source of the requests and the information landing in their inbox every day. This is especially true when emails come from a known figure, such as a trusted supplier, adviser, partner, or executive, even one who isn’t a frequent correspondent.

It is for this reason that impersonation attacks are so dangerous, and why, given their success rates, they’re being used even more by cyber-criminals. Recently, Darktrace saw three related email attacks target high-profile individuals at a financial services organization, each sent from three separate email accounts impersonating the CEO, the CFO, and a board member.

It is not unusual for board members to email from addresses that are external to the company they serve on the board of. An investor might choose to use their firm’s account or their personal email. Many organizations have a bio of their board members and executives publicly available on their websites, including references to other activities they are involved with. This easily provides contextually relevant information to would-be attackers. For these reasons, impersonation attacks are both highly tailored and highly effective.

The phishing attacks that slipped the hook

This attack was detected in the Gmail environment of an Antigena Email customer. Over the course of a single week, three malicious emails bypassed the existing email security tools in place and attempted to solicit sensitive information from three senior staff members. Each was sent on a different day, at different times, from different addresses, but the ASN address revealed that all three seemed to originate from the same source. This suggests that the three emails were launched by the same attacker attempting to impersonate a few key users to gain access to company details.

Figure 1: An overview of the three anomalous emails identified within the same week

Looking into the most recent email, we see Antigena Email’s analysis of the threat. This email appears to be a targeted spoofing or solicitation attack imitating a board member and targeting a high-ranking individual in the finance department.

We can see from the 86% anomaly score that Antigena Email understood this email as being significantly unusual. The tags summarize the main findings: the email showed signs of solicitation, but interestingly did not appear to contain attachments or links. This is a common method that attackers use to bypass legacy tools that rely on access and deny lists, known attacks, rules, and signatures to spot and stop email attacks. With no malicious links for legacy tools to flag, these attacks easily slip past traditional security solutions.

Figure 2: The email tags and actions associated with one of the offending emails

Catching the subtle and stealthy with AI

This was clearly a well-thought-out attack. The varied senders, the inconsistency in the emails, and the gaps of time between the messages suggests that this was an attacker who was taking their time. Rather than relying on a ‘spray and pray’ approach – sending out thousands of emails in the hope that one or two users might engage – they spent time researching the organization, crafting highly-tailored, well-written messages in an attempt to gain a foothold.

The attacker presumably believed that this slow and stealthy strategy could have paid off with high rewards, targeting only high-profile individuals with the attacks. And without Darktrace’s self-learning email security technology actively analyzing every email in real time, this approach may have been successful.

Indeed, these well-researched, carefully-crafted emails would be nearly impossible for security teams to identify with legacy tools alone. Luckily, by deploying Cyber AI across email, which can learn the patterns of normal communication and behavior for every employee across a company, organizations can detect and prevent these kinds of stealthy attacks that are so often hidden in the noise of email communications.

More in this series:

No items found.

Like this and want more?

Receive the latest blog in your inbox
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
INSIDE THE SOC
Darktrace cyber analysts are world-class experts in threat intelligence, threat hunting and incident response, and provide 24/7 SOC support to thousands of Darktrace customers around the globe. Inside the SOC is exclusively authored by these experts, providing analysis of cyber incidents and threat trends, based on real-world experience in the field.
AUTHOR
ABOUT ThE AUTHOR
Mariana Pereira
Director of Email Security Products

Mariana is the Director of Email Security Products at Darktrace, with a primary focus on the capabilities of AI cyber defenses against email-borne attacks. Mariana works closely with the development, analyst, and marketing teams to advise technical and non-technical audiences on how best to augment cyber resilience within the email domain, and how to implement AI technology as a means of defense. She speaks regularly at international events, with a specialism in presenting on sophisticated, AI-powered email attacks. She holds an MBA from the University of Chicago, and speaks several languages including French, Italian, and Portuguese.

USE CASES
No items found.
PRODUCT SPOTLIGHT
No items found.
COre coverage
No items found.
This Article
Darktrace email finds: Impersonation attack of board member targets Gmail account
Share
Twitter logoLinkedIn logo

Related Articles

No items found.

Good news for your business.
Bad news for the bad guys.

Start your free trial

Start your free trial

Flexible delivery
You can either install it virtually or with hardware.
Fast install
Just 1 hour to set up – and even less for an email security trial.
Choose your journey
Try out Self-Learning AI wherever you most need it — including cloud, network or email.
No commitment
Full access to the Darktrace Threat Visualizer and three bespoke Threat Reports, with no obligation to purchase.
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

Get a demo

Flexible delivery
You can either install it virtually or with hardware.
Fast install
Just 1 hour to set up – and even less for an email security trial.
Choose your journey
Try out Self-Learning AI wherever you most need it — including cloud, network or email.
No commitment
Full access to the Darktrace Threat Visualizer and three bespoke Threat Reports, with no obligation to purchase.
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.