Part 1 of a 5-part series.   

The threat posed by phishing is not new. For many years, the media and research papers have been littered with examples of data breaches that have been traced back to phishing attacks.  

Organizations have attempted to tackle the threat through investments in next-gen technologies and increased employee awareness training. Despite these efforts, the threat has not receded, in fact, it’s become more sophisticated and more effective.  

It’s time for organizations to accept some uncomfortable truths about routine approaches to phishing defense and think differently – understanding that REAL phish are the REAL problem. In this blog series, we’ll explore these uncomfortable truths and perhaps challenge conventional thinking. Ultimately, we’ll aim to equip you with a refreshed perspective on how to stop phishing attacks in their tracks.

Uncomfortable Truth #1 – No matter how good your perimeter defenses, phishing emails are still reaching the inbox.

Don’t forget to check out Cofense’s Sharpening Your Defenses website.

Contrary to much of the marketing hype we see in the cybersecurity industry, technology does not, and cannot, stop all phishing emails from reaching a user’s inbox. Sure, technologies like secure email gateways do a good job at stopping known threats and risk patterns, and machine learning and artificial intelligence may live up to expectations for certain attack types such as business email compromise.  

But, and it’s a big but, as defensive technologies become more pervasive, threat actors simply evolve their tactics and techniques to neutralise them. Added to that, any security control is a balance of protection over usability – i.e. being frictionless to the user. Here at Cofense™, we see this every day.  

The Cofense Phishing Defense Center currently receives and analyzes suspicious emails from some 2 million enterprise users globally. That’s quite a network of human sensors. 1 in 7 of the emails reported by these users is found to have malicious content. The important thing to remember is that every email our analysts examine has bypassed one or more layers of technical controls that were put in place to prevent threats from reaching the inbox.

The tactics and techniques used to maximize chances of successful delivery and payload execution are evolving all the time. Some of these tactics pit technology against technology, while others remain surprisingly low tech.  

Waxing Lyrical about the Brazilian Phish.  

Recently, the Cofense Phishing Defense Center began receiving reported emails that followed the somewhat unimaginative but proven theme of ‘Attached Invoice.’ Upon analysis, the attachment appeared benign – no malicious behavior was observed.  

However, it had all the hallmarks of a phish, and the analysts could see more reports arriving – all from Brazil. With this in mind, they put on their metaphorical Brazilian hat, and gave their analysis workstation a Brazilian IP address.   

This time, upon execution, the analysts observed different behavior with the attachment. A connection was made to payload infrastructure, and a malicious script was downloaded. The script didn’t execute, but deeper analysis identified further location validation checks. After configuring the analysis workstation with a Brazilian locale and keyboard layout, the sample was executed again, and, voila, IOCs were captured. The net result? Automated analysis would have had a hard time identifying this threat, as this customer’s perimeter controls clearly did.  

Zombie Apocalypse. Now.

Here’s another example of how phishing tactics evolve. Out of nowhere, someone responds to an email conversation that wrapped up months ago. It’s a real conversation that actually happened. Maybe it’s about a meeting, a job opportunity, or a reply to that problem you had over a year ago; this email is highly relevant to you. But something is off, the topic of the email is months out of date, and now there is a weird error message.

Meet the Zombie Phish, a devious tactic that revives a long-dead email conversation.

Fraudsters hijack a compromised email account, and using that account’s inbox, reply to dormant conversations with a phishing link or malicious attachment. Because the subject of the email is directly relevant to the victim, a curious click is highly likely to occur.

These types of attacks are dangerous as they can involve internal–to–internal communication, or communication between trusted third parties. When combined with other techniques such as malicious content being hosted in cloud-sharing services like Dropbox, OneDrive, or Sharepoint.com, inline controls can be rendered ineffective. Learn more about this attack in this Cofense blog: Re: The Zombie Phish.

Next in this series: Uncomfortable Truth #2: You cannot defend against attacks you cannot see. In the meantime, learn more about the expertise of Cofense Phishing Defense Center.