This past week, Armorblox's threat research team discovered impersonation of invoice-themed email attack attempts hitting customer environments, luring them to click on dangerous links to obtain Electronic Funds Transfer (EFT) payments. In this attack, hackers once again have availed the use of cloud office providers, in this case Microsoft Office 365 branding and Google Firebase hosted landing page, in their pursuit of extracting Microsoft login credentials and personal information such as alternate email address and phone number from victims.
Now, Armorblox has released its latest findings that reveal the intricate directives of this new attack. To learn more, VMblog reached out to Rajat Upadhyaya, Head of Engineering at Armorblox.
VMblog: Armorblox just published threat
research outlining a Microsoft phishing attack that was hosted on Google
Firebase. Can you provide a brief overview of the attack?
Rajat Upadhyaya: The email
attack highlighted in our research pretends to share information about an EFT
payment with a link to download an HTML invoice. Opening the HTML loads a page
with Microsoft Office branding that's hosted on Google Firebase. The final
phishing page looks to extract the victims' Microsoft login credentials,
alternate email address, and phone number.
VMblog: What
techniques employed by cybercriminals enabled this email attack to bypass
native Microsoft security controls?
Upadhyaya: This
email attack employed a variety of techniques, covering most bases to
successfully evade native Microsoft email security. Some of these techniques
include:
- Passing authentication by using
SendGrid.
- Social engineering by crafting the
email title and body to convey financial urgency.
- Impersonating the Microsoft brand
on the final phishing page to trick users into giving up their
credentials.
- Hosting the final URL on Google
Firebase to lend the domain a legitimacy that allowed it to bypass email
security filters and blocklists.
- Employing link redirects and HTML
downloads to obfuscate the attack flow and stop security technologies from
following the link to its final destination.
VMblog: The final
phishing page was hosted on Google Firebase. Why would you say this is
noteworthy? Have you observed this technique before?
Upadhyaya: Hosting
the phishing page on Firebase is noteworthy because Google domains have an
inherent legitimacy that makes it impossible to preemptively block these URLs
using legacy email security filters. The Armorblox threat research team has
observed this technique (and other related ones) before. Cybercriminals are
regularly exploiting free Google services to launch phishing attacks. Our
research note on these attacks
from a few months ago covers email scams that used Google Docs, Forms, Sites,
and Firebase.
VMblog: Do you
have any tips and recommendations for organizations looking to protect
themselves against such email attacks?
Upadhyaya: It's
important to follow email security hygiene and best practices to protect
against these attacks, or at least contain their impact.
- Deploy two-factor authentication
(2FA) on all possible business and personal accounts.
- Don't use the same password on
multiple sites/accounts.
- Use a password management software
to store your account passwords.
- Avoid using passwords that tie
into your publicly available information (date of birth, anniversary date
etc.).
- Don't repeat passwords across
accounts or use generic passwords such as your birth date, ‘password123',
‘YourName123' etc.
Organizations should also not rely solely on
native Microsoft email security, which provides a good base but is not meant to
constitute the entire email security stack. The email highlighted in our
research got past
Microsoft's Exchange Online Protection (EOP), with an assigned Spam Confidence
Level (SCL) of 1, which means either the email skipped past spam filters or EOP
determined that it wasn't spam. For better protection coverage against targeted
email attacks, organizations should augment built-in Microsoft capabilities with
technologies that take a materially different approach to threat detection.
Gartner's Market Guide for
Email Security
covers new approaches that vendors brought to market in 2020, and should be a
good starting point for your evaluation.
VMblog: How was
Armorblox able to detect the attack?
Upadhyaya: Armorblox
analyzes thousands of signals across identity, behavior, and language to detect
advanced email attacks that get past traditional security layers. With most
advanced email attacks, there's no one signal or red flag that leads to
detection, but rather a confluence of telltale signs that results in Armorblox
flagging the email as suspicious.
Some
Armorblox insights that led to the attack being detected were:
- Low
communication history: Armorblox detected that the sender
email in question had a low communication history with the victims' email
accounts. While not a violation in itself, this insight is critical when
compared with other unusual signals and can catch highly targeted attacks.
- Language, intent, and tone: Armorblox language models have been
trained on tons of data and further customized to suit every customer
environment. These models analyzed the email body and detected that there
was an unusual request made in the email (which is a common trait in business email
compromise attacks). Armorblox language models also
detected multiple financial terms used in the email.
- Low domain frequency: Armorblox ML models have three
tiers - a global model, an organization-specific model, and a
mailbox-specific model. While the mailbox-specific model was able to
detect low communication history between the sender and the receiver, the
organization-specific model also detected that the attacker's domain had
not communicated with the target company as a whole.
- Suspicious URL: Armorblox detected the presence of a suspicious URL in the email, based on factors including but not limited to threat intel sources, suspicious redirections, language associated with the link, dissonance between the link’s purported objective and where it actually led to, and so on.
VMblog: How can
readers get their hands on this research to learn more?
Upadhyaya: Readers
can access the full research note here: https://www.armorblox.com/blog/microsoft-office-phishing-attack-hosted-on-google-firebase
For folks interested in staying up to date with
the latest email security trends and attack research, check out other Blox
Tales (i.e. email attacks caught by Armorblox) by visiting our blog and going
to the ‘Use Cases' section: https://www.armorblox.com/blog/
##