Flagging Treacherous Ground: Converting Security Liabilities into Assets
Flagging Treacherous Ground: Converting Security Liabilities into Assets

New school security awareness training has become an integral part of the layered security posture developed by many organizations large and small. In an era where zero day exploits are regularly delivered to users' inboxes and even the best anti-virus engines routinely miss newly released malicious files and links, users are truly the last the line defense for your company -- the only thing standing between your corporate network and a catastrophic ransomware outbreak or, even worse, backdoor trojans that allow malicious parties to plunder at will the company's most guarded secrets and treasures.

Few of the users who go through security awareness training, however, are technically savvy. Still fewer have a decent grasp of online security threats or the increasingly sophisticated social engineering schemes they will confront when carefully crafted phishing emails land in their inboxes. In other words, they need all the help they can get.

Much of the advice that users are given to help the spot malicious emails involves prompting them to look for suspicious elements in the Date:, To:, From:, and Subject: lines of emails, odd and out of place content in the email body, or indications that embedded links or attachments may be malicious.

While this kind of advice is useful, many users may benefit from learning different kinds of "red flags" to look for in emails -- red flags that are simpler and that rely less on their own subjective powers of judgement. In what follows we lay out three different types of red flags that could help users more quickly spot potentially malicious emails and recognize when they are on treacherous ground.

Phishing Genres

When the most sophisticated phishing campaigns are putting highly polished emails that use deviously clever social engineering hooks to tempt users into clicking through malicious links or opening highly destructive attachment, advising those users to look for bad grammar and spelling becomes less and less useful.

Despite the increasing sophistication of phishing campaigns over the past few years, we have noticed that the majority of phishing emails that customers share with us via the Phish Alert Button (PAB) fall into a small number (roughly ten) of what we have coined as a new term: "phishing genres." Users who learn these genres will be better equipped to recognize when they are dealing with a potentially malicious email.

1. The Invoice/P.O. Phish

Undoubtedly the most common phishing genre in the emails reported to us via the Phish Alert Button (PAB), this type of phish easily blends into the deluge of emails that employees in many positions deal with on a daily basis.

Employees who routinely process purchase orders and invoices should be trained to recognize that as routine as such emails can seem, they need to be on guard when they are asked to click on links and attachments presented to them in such emails.

2. The Package or Parcel Delivery Phish

Companies and organizations in the business of delivering packages and parcels now email customers and users on a daily basis. Once again, the bad guys regularly seek to capitalize and exploit this kind of business-to-business communication by crafting phishing emails that mimic those sent by recognized organizations like USPS, UPS, FedEx, and DHL.

3. The Document or File Delivery/Sharing Phish

As with emails from companies like UPS or FedEx, emails involving files being shared or delivered through services like Docusign and Dropbox are a familiar part of the online business landscape. Users who unthinkingly click on the links or attachments contained in what appear to be innocuous file sharing emails could be in for a nasty surprise.

4. The Fake Fax Phish

Employees in your company should be familiar with the appearance of emails generated internally by your organization's fax software solution so that they can instantly recognize a fake when it appears.

5. The Fake Voicemail Phish

Similarly, your company's employees need to recognize legitimate voicemail notifications delivered internally so that they can more readily recognize a malicious imposter when they encounter it.

6. The Online Account Verification/Update Phish

Probably the granddaddy of all phishing genres, this one is still going strong after more than a decade of heavy use by the bad guys. All too many users will still click through malicious emails telling them there is a problem with one of their online accounts (often an online banking account) and that they need to verify their identity or confirm the information on that account to keep it active.

7. The Email Storage Limit Phish

Most employees are attentive to the status of their email accounts and will be responsive to emails informing them of problems with those accounts.

8. The Email Upgrade/Update Phish

Employees within your organization are probably so familiar with (and inured to) the regular cycle of software updates and upgrades pushed by the IT department that many of them won't even blink when they encounter an email such as this:

Again, familiarizing your employees with what legitimate emails from your IT department or Help Desk look like would help them spot fakes like the above.

9. The Email Password Expiration Phish

Another one of the regular cycles your employees will have been accustomed to is the periodic notifications they receive when their email passwords are set to expire.

If your employees cannot distinguish a legitimate password expiration email from a malicious one, your IT department will be far busier (and more miserable) than it needs to be.

10. The Email Account Deactivation Phish

Despite the sheer misery that the regular deluge of office emails causes so many employees, most recognize that their email accounts are vital to their jobs.

PDFs with Embedded Links

Although the bad guys are known to use exploits within attachments delivered through phishing emails, the vast majority of malicious attachments that we see actually require users to take some kind of action to compromise their accounts (usually via a credentials phish) or their workstation (via malicious software).

While we may wish that employees never opened such attachments, the sad fact is that many will. If your employees are trained to recognize the two most common malicious attachments -- and they are surprisingly easy to spot -- your company can contain much of the damage and dramatically reduce its exposure to compromised user accounts and ransomware outbreaks.

By far the most common malicious attachments our customers report are PDFs with embedded links that point to web pages that tempt marks into coughing up the credentials to their user accounts or that kick off the download of malware.

Any simple PDF file containing an embedded link that users are invited to click should be regarded as malicious until proven otherwise, and employees need to be trained to treat them as such.

Office Docs with Macro Warning Screens

The second most common malicious attachment is even easier to spot: the Office doc with an embedded macro.


While the use of macros within legitimate business documents is not uncommon, the use of elaborate and highly polished graphics to walk potential marks through the process of enabling macros within Office documents most certainly is. These kinds of macro warning screens are fairly unique to malicious documents and constitute a dead giveaway that something is amiss.

Using These Red Flags

Malicious actors on the internet are constantly adapting and innovating, and the red flags we have discussed above by no means cover the full range of malicious emails that could drop into your employees' inboxes. The do cover a large percentage of those phishing emails, though.

As we noted earlier, your employees need all the help they can get when they encounter the increasingly sophisticated phishing campaigns in use today. These three red flags -- common phishing genres, PDFs with embedded links, and Office docs with macro warning screens -- are designed to complement, not replace the more traditional red flags your security awareness training platform educates your employees to spot. They can serve ready alerts to users that they are on treacherous ground with certain kinds of emails and that they need to carefully inspect other key aspects of those potentially emails.

Employees trained to recognize when an email puts them on dangerous ground become security assets, not liabilities. And in this time of aggressive and sophisticated mass phishing campaigns, your organization's IT department needs all the assets it can lay its hands on.