Blog

Email

Threat Finds

Darktrace email finds: QuickBooks impersonation phishing attack

Darktrace email finds: QuickBooks impersonation phishing attackDefault blog imageDefault blog image
24
Jun 2020
24
Jun 2020

Recently in the Darktrace Blog we’ve explored how the current working conditions have resulted in a huge surge in spoofing and impersonation attacks, where attackers masquerade either as trusted colleagues or familiar brands.

These types of email attacks continue to be a successful tactic for cyber-criminals. Forever responsive and adaptive, attackers are taking advantage of the disruption to everyday operations by impersonating credible suppliers to send in fake invoices and other fraudulent emails.

How AI caught a fake invoice attack

This blog explores a string of counterfeit invoices sent to dozens of employees at a cutting-edge technology company. With valuable IP and several research labs, the company is a prime target for organized and ambitious cyber-criminals seeking maximum financial reward for their campaigns. In this particular incident, the threat-actors convincingly impersonated QuickBooks, a leading provider of book-keeping and accounting software, and part of the Intuit group which includes other recognizable brands like TurboTax and Mint.

The spoofed emails contained an invoice notification that closely imitated a legitimate monthly invoice that the organization would expect to receive from QuickBooks. If successfully delivered to the inbox, these would have appeared to come from quickbooks@notification.intuit[.]com.

The ‘invoice’ attached to these emails was actually a macro-containing Office document.

Figure 1: The malicious attachment shown in the Threat Visualizer

The source of the spoofed emails was an IP address in Italy. Since this falls outside the range of IPs that are permitted by Intuit to send mail on their behalf, this breached the SPF model breach within Antigena Email.

However, that in itself was not the main cause for Antigena Email’s detection – any mail server can run an SPF check. The primary factor behind the 100% anomaly score that Antigena Email assigned these emails was the high sender history of the email address – Darktrace was able to see that the failed SPF results were particularly suspicious against the background of SPF passes usually assigned to quickbooks@notification.intuit[.]com.

In addition, Antigena Email recognized that it would be highly unusual for this group of recipients, across multiple departments, to be receiving the same email from the same source – particularly of that particular subject matter. This caused the Cyber AI to hold the emails back in some cases, and in others it took the action to ‘unspoof’ the email, revealing that the invoice was not in fact from Quickbooks.

Figure 2: Five of the offending emails, deemed 100% anomalous by Antigena Email

The above illustrates how these emails appeared in Darktrace’s Threat Visualizer, in comparison to normal legitimate invoices below. Note the identical sender address and similar style of subject line. Had Darktrace’s AI not been analyzing every inbound email in real time, these attacks would have been highly likely to succeed.

Figure 3: Genuine invoices received from Intuit in the same week

The below is a full list of the model breaches piled onto these emails, producing the overall anomaly score of 100% seen above.

Attachment/Dangerous AttachmentAttachment/SPF Anomalous AttachmentAttachment/Spoof Sender AttachmentAttachment/Unsolicited AttachmentSpoof/Meta Popular Domain SpoofType/High Sender HistoryUnusual/Behavioral AnomalyUnusual/Connection AnomaliesValidation/SPF AnomalousValidation/SPF Fail Known Correspondent

Catching the full range of email attacks

Thankfully, the organization in question was an early adopter of a self-learning, AI-powered approach to email security, and the attack was contained at an early stage. But this attack is nothing extraordinary – and these kind of impersonation attempts are affecting organizations across every industry on a daily basis.

The extension of the tax season in the US this year has brought with it a widened opportunity for cyber-criminals to exploit the flurry of activity with fake invoices and other similar attacks. Predictably, a second surge of attacks targeting individuals and small businesses has been reported.

We have already seen an increase of COVID-19 related email attacks. With attackers impersonating trusted brands like Intuit’s TurboTax and QuickBooks, the necessity for defenders to adopt Cyber AI as part of their email security defense is more prevalent than ever.

Like this and want more?

Receive the latest blog in your inbox
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
INSIDE THE SOC
Darktrace cyber analysts are world-class experts in threat intelligence, threat hunting and incident response, and provide 24/7 SOC support to thousands of Darktrace customers around the globe. Inside the SOC is exclusively authored by these experts, providing analysis of cyber incidents and threat trends, based on real-world experience in the field.
AUTHOR
ABOUT ThE AUTHOR
Mariana Pereira
Director of Email Security Products

Mariana is the Director of Email Security Products at Darktrace, with a primary focus on the capabilities of AI cyber defenses against email-borne attacks. Mariana works closely with the development, analyst, and marketing teams to advise technical and non-technical audiences on how best to augment cyber resilience within the email domain, and how to implement AI technology as a means of defense. She speaks regularly at international events, with a specialism in presenting on sophisticated, AI-powered email attacks. She holds an MBA from the University of Chicago, and speaks several languages including French, Italian, and Portuguese.

USE CASES
No items found.
PRODUCT SPOTLIGHT
No items found.
COre coverage
No items found.
This Article
Darktrace email finds: QuickBooks impersonation phishing attack
Share
Twitter logoLinkedIn logo

Related Articles

No items found.

Good news for your business.
Bad news for the bad guys.

Start your free trial

Start your free trial

Flexible delivery
You can either install it virtually or with hardware.
Fast install
Just 1 hour to set up – and even less for an email security trial.
Choose your journey
Try out Self-Learning AI wherever you most need it — including cloud, network or email.
No commitment
Full access to the Darktrace Threat Visualizer and three bespoke Threat Reports, with no obligation to purchase.
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

Get a demo

Flexible delivery
You can either install it virtually or with hardware.
Fast install
Just 1 hour to set up – and even less for an email security trial.
Choose your journey
Try out Self-Learning AI wherever you most need it — including cloud, network or email.
No commitment
Full access to the Darktrace Threat Visualizer and three bespoke Threat Reports, with no obligation to purchase.
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.