Blog

No items found.

Darktrace email finds: Fake ShareFile notification from compromised supplier account

Darktrace email finds: Fake ShareFile notification from compromised supplier accountDefault blog imageDefault blog image
10
Aug 2020
10
Aug 2020

Type of attack: Spoofing

Organization: Construction, EMEA

Time and date: 2020-06-18 08:05 UTC

Mailboxes: <1000

100%

Thu Jun 18 2020, 04:05:52

From:share_file® <s.ignatenko@skirrowservices.com>

Recipient:<pedro.hernandez@holdingsinc.com>

Notification! Acc ID: 2749742

Email Tags

Suspicious Link

Actions on Email

Move to Junk

Hold Message

Double Lock Link

Figure 1: An interactive snapshot of Antigena Email’s user interface

Antigena Email recently detected a malicious email sent from a legitimate corporate email account – presumably that of a supplier – that had been subject to an account takeover. The email claimed to be a ShareFile notification, but contained links to malicious domains previously associated with phishing attacks. These webpages are commonly designed to trick users into downloading malware or leaking sensitive corporate information.

Figure 2: A subset of the breached models and associated actions

Why was this attack effective?

This attack combined an account takeover with a typical impersonation attack. At first glance, all of the email’s elements appear legitimate, from the ShareFile notification, to the genuine and trusted corporate email address, to the subject line.

The email contained an additional misleading link featuring an email address seemingly associated with the recipient, but that also redirected a user to a malicious webpage. Believing that the email contained genuine ShareFile content, given past legitimate business interactions with the supplier, a user may have easily clicked on one of the malicious links and entered sensitive information on the phishing page.

Sender information

The sender’s name was listed as “share_file®”, but the email address was associated with a compromised account from a Ukrainian electronic components company.

Why did this attack bypass other email security solutions?

As the email came from a genuine corporation and trusted supplier known to the organization, it would have passed the Sender Policy Framework (SPF) authentication technique and been considered legitimate. The fact that the account sending the email had not yet been reported as compromised meant that the email was not flagged as spam by traditional security solutions, and would have been able to distribute malicious content to employees.

AI email security that evolves with you

Antigena Email recognized that the suspicious link in the email fell outside of both the sender and recipient’s normal ‘patterns of life.’ The AI took the strongest possible action, preventing the targets from engaging with the email and malicious link contained within. Compromised accounts can be some of the most difficult attacks to detect, because of the trusted relationships that exist with other organizations. This attack demonstrates the power of AI email security that continuously evolves with a business.

Thanks to Darktrace analyst Lucas O’Donohue for his insights on the above threat find.

More in this series:

No items found.

Like this and want more?

Receive the latest blog in your inbox
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
INSIDE THE SOC
Darktrace cyber analysts are world-class experts in threat intelligence, threat hunting and incident response, and provide 24/7 SOC support to thousands of Darktrace customers around the globe. Inside the SOC is exclusively authored by these experts, providing analysis of cyber incidents and threat trends, based on real-world experience in the field.
AUTHOR
ABOUT ThE AUTHOR
Dan Fein
VP, Product

Based in New York, Dan joined Darktrace’s technical team in 2015, helping customers quickly achieve a complete and granular understanding of Darktrace’s product suite. Dan has a particular focus on Darktrace/Email, ensuring that it is effectively deployed in complex digital environments, and works closely with the development, marketing, sales, and technical teams. Dan holds a Bachelor’s degree in Computer Science from New York University.

share this article
USE CASES
No items found.
PRODUCT SPOTLIGHT
No items found.
COre coverage
No items found.
This Article
Darktrace email finds: Fake ShareFile notification from compromised supplier account
Share
Twitter logoLinkedIn logo

Related Articles

No items found.

Good news for your business.
Bad news for the bad guys.

Start your free trial

Start your free trial

Flexible delivery
You can either install it virtually or with hardware.
Fast install
Just 1 hour to set up – and even less for an email security trial.
Choose your journey
Try out Self-Learning AI wherever you most need it — including cloud, network or email.
No commitment
Full access to the Darktrace Threat Visualizer and three bespoke Threat Reports, with no obligation to purchase.
For more information, please see our Privacy Notice.
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

Get a demo

Flexible delivery
You can either install it virtually or with hardware.
Fast install
Just 1 hour to set up – and even less for an email security trial.
Choose your journey
Try out Self-Learning AI wherever you most need it — including cloud, network or email.
No commitment
Full access to the Darktrace Threat Visualizer and three bespoke Threat Reports, with no obligation to purchase.
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

Check out this article by Darktrace: Darktrace email finds: Fake ShareFile notification from compromised supplier account