Blog

Inside the SOC

Email

Bytesize security: Impersonation tactics fail to fool Darktrace AI

Bytesize security: Impersonation tactics fail to fool Darktrace AIDefault blog imageDefault blog image
24
Oct 2022
24
Oct 2022

Two of the most popular ways threat actors send malicious emails is through the use of spoofing and impersonation tactics. While spoofed emails are sent on behalf of a trusted domain and obscure the true source of the sender, impersonation emails come from a fake domain, but one that may be visually confused for an authentic one. In order to identify impersonation tactics in a suspicious email, we should first ask why an attacker might utilize an impersonation approach over spoofing.

In contrast to domain spoofing, which lacks validation and can be readily detected by email security gateway softwares, impersonation with a lookalike domain allows attackers to send emails with full SPF and DKIM validation, making them appear legitimate to many security gateways. This blog will explore impersonation tactics and how Darktrace/Email protects against them. 

There are two distinct ways to leverage impersonation tactics: 

1.     Impersonating the domain 

2.     Impersonating a real user from that domain  

Domain impersonation is often implemented with the use of ‘confusable characters’. This involves misspelling through the use of character substitutions which make the domain look as visually similar to the original as possible (eg. m rn, o 0, l  I). Threat actors can then also impersonate a real user by adding the the personal field of that user’s email to the new, malicious domain. Comparing impersonation emails with legitimate emails highlights how similar these malicious email addresses are to the real thing (Figure 1).

Figure 1- Email log that highlights the impersonated emails from “Mike Lewis” from the domain “smartercornmerce[.]net”. Along with the impersonated domain, the attackers attempt to impersonate the known user, “Mike Lewis” as well. The use of both distinct types of impersonation categorize the email as what Darktrace/Email refers to as a Double Impersonation email.

Figure 2- Email Summary details of one of the malicious double impersonation emails that was sent by the impersonated sender, “Mike Lewis” from “smartercornmerce[.]net”, that highlights the various anomaly indicators that Darktrace/Email detected, as well the various tags and actions it applied.

Darktrace/Email uses AI which analyses impersonation emails by comparing the ‘From’ header domains of emails against known external domains and generates a percentage score for how likely the domain is to be an imitation of the known domain (Figure 3).  

Figure 3- Darktrace compares the external sender, “mike.lewis@smartercornmerce[.]net”, with similar external names and domains that have been observed in different inbound emails on the network.


Impersonation emails are also detected via spoof score metrics such as Domain External Spoof Score and Domain Internal Spoof Score (Figure 4). 

Figure 4- Darktrace AI analyzed the malicious double impersonation email from Figure 2 and generated a high Domain External Spoof Score (100) and Spoof Score External (94)


Double Impersonation emails such as the one highlighted in Figure 2 are utilized by threat actors to gain the trust of the recipient and convince them to access malicious payloads such as phishing links and attachments. For example, the malicious double impersonation email from Figure 2 contained a suspicious hidden link to a Wordpress site which could have redirected the user to a phishing endpoint and tricked them into divulging sensitive information (Figure 5). The endpoint itself appears to lead unsuspecting recipients to a false share link posing as a payment-themed Excel file.

Figure 5- Details of the Wordpress link embedded in the suspicious email, which was hidden beneath display text to convince a user to click it without knowledge of where it would lead. The domain has a 100% rarity according to Darktrace AI.

Figure 6- Wordpress webpage that highlights another link for the user to click in order to be redirected to the invoice statement in a Microsoft Excel document.

Various indicators highlighted the webpage as suspicious and potentially malicious. Firstly, the use of ‘SmarterCORNmerce’ in the link to the webpage was at odds with the use of SmarterCOMMERCE throughout the page itself. The link also showed the invoice statement to be an Microsoft Excel file, despite the email suggesting it was a PDF document. Further investigation revealed the link to be associated with a Fleek hosting service and CDN (Figure 7), and that it redirected users to a fake Microsoft page. 

Figure 7 - Source code from the Wordpress webpage shows that the fake Microsoft link redirects users to a Fleek hosted page. This page may contain additional javascript content to download malware onto the user’s device.

As well as the domain spoof score metrics highlighted in Figure 4, Darktrace/Email analyses the suspicious payloads embedded in emails and generates scores to indicate the likelihood that a payload may be a phishing attempt.

Figure 8- Additional metrics for the double impersonation email that highlight the high phishing inducement score (96) for the email.

As the DETECT functionality of Darktrace/Email generates high scores metrics such as Domain External Spoof Score and Phishing Inducement, the RESPOND function will fire complementary models which then trigger relevant actions on the various payloads embedded in these emails and even the delivery of the emails themselves. As the impersonation email highlighted in Figure 2 impersonated not only the trusted domain but the known and trusted sender, Darktrace AI triggers the Double Impersonation model. Additional spoofing models such as ‘Basic Known Entity Similarities + Suspicious Content’ and ‘External Domain Similarities + Maximum Similarity’ were also triggered, indicating the high possibility that the suspicious email is a domain and user impersonation email sent by a malicious attacker.

Figure 9- The Email console highlights the different models the email triggered, including the Basic Known Entity Similarities + Suspicious Content and External Domain Similarities + Maximum Similarity model breaches and the various models that triggered significant actions in response to the potentially malicious impersonation email.


When Darktrace/Email detects a malicious double impersonation email, it responds by triggering a Hold action, preventing the email from appearing in the recipient’s inbox. Darktrace/Email’s RESPOND functionality could also take action against the suspicious link payloads embedded in the email with a Double Lock Link action. This will prevent users from attempting to click on malicious phishing links. Such actions highlight how Darktrace/Email excels in using AI to detect and take action against potentially malicious impersonation emails that may be prevalent in any user’s inbox. 

Though impersonation is becoming increasingly targeted and efficient, Darktrace/Email has both detection and response capabilities that can ensure customers have secure coverage for their email environments.

Thanks to Ben Atkins for his contributions to this blog.

More in this series:

No items found.

Like this and want more?

Receive the latest blog in your inbox
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
INSIDE THE SOC
Darktrace cyber analysts are world-class experts in threat intelligence, threat hunting and incident response, and provide 24/7 SOC support to thousands of Darktrace customers around the globe. Inside the SOC is exclusively authored by these experts, providing analysis of cyber incidents and threat trends, based on real-world experience in the field.
AUTHOR
ABOUT ThE AUTHOR
George Kim
SOC Analyst
PRODUCT SPOTLIGHT
No items found.
COre coverage
No items found.
This Article
Bytesize security: Impersonation tactics fail to fool Darktrace AI
Share
Twitter logoLinkedIn logo

Good news for your business.
Bad news for the bad guys.

Start your free trial

Start your free trial

Flexible delivery
You can either install it virtually or with hardware.
Fast install
Just 1 hour to set up – and even less for an email security trial.
Choose your journey
Try out Self-Learning AI wherever you most need it — including cloud, network or email.
No commitment
Full access to the Darktrace Threat Visualizer and three bespoke Threat Reports, with no obligation to purchase.
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

Get a demo

Flexible delivery
You can either install it virtually or with hardware.
Fast install
Just 1 hour to set up – and even less for an email security trial.
Choose your journey
Try out Self-Learning AI wherever you most need it — including cloud, network or email.
No commitment
Full access to the Darktrace Threat Visualizer and three bespoke Threat Reports, with no obligation to purchase.
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.