Blog
Darktrace email finds: Fake ShareFile notification from compromised supplier account


Type of attack: Spoofing
Organization: Construction, EMEA
Time and date: 2020-06-18 08:05 UTC
Mailboxes: <1000
100%
Thu Jun 18 2020, 04:05:52
From:share_file® <s.ignatenko@skirrowservices.com>
Recipient:<pedro.hernandez@holdingsinc.com>
Notification! Acc ID: 2749742
Email Tags
Suspicious Link
Actions on Email
Move to Junk
Hold Message
Double Lock Link
Figure 1: An interactive snapshot of Antigena Email’s user interface
Antigena Email recently detected a malicious email sent from a legitimate corporate email account – presumably that of a supplier – that had been subject to an account takeover. The email claimed to be a ShareFile notification, but contained links to malicious domains previously associated with phishing attacks. These webpages are commonly designed to trick users into downloading malware or leaking sensitive corporate information.

Figure 2: A subset of the breached models and associated actions
Why was this attack effective?
This attack combined an account takeover with a typical impersonation attack. At first glance, all of the email’s elements appear legitimate, from the ShareFile notification, to the genuine and trusted corporate email address, to the subject line.
The email contained an additional misleading link featuring an email address seemingly associated with the recipient, but that also redirected a user to a malicious webpage. Believing that the email contained genuine ShareFile content, given past legitimate business interactions with the supplier, a user may have easily clicked on one of the malicious links and entered sensitive information on the phishing page.
Sender information
The sender’s name was listed as “share_file®”, but the email address was associated with a compromised account from a Ukrainian electronic components company.
Why did this attack bypass other email security solutions?
As the email came from a genuine corporation and trusted supplier known to the organization, it would have passed the Sender Policy Framework (SPF) authentication technique and been considered legitimate. The fact that the account sending the email had not yet been reported as compromised meant that the email was not flagged as spam by traditional security solutions, and would have been able to distribute malicious content to employees.
AI email security that evolves with you
Antigena Email recognized that the suspicious link in the email fell outside of both the sender and recipient’s normal ‘patterns of life.’ The AI took the strongest possible action, preventing the targets from engaging with the email and malicious link contained within. Compromised accounts can be some of the most difficult attacks to detect, because of the trusted relationships that exist with other organizations. This attack demonstrates the power of AI email security that continuously evolves with a business.
Thanks to Darktrace analyst Lucas O’Donohue for his insights on the above threat find.