Blog

No items found.

Darktrace email finds: IT impersonation attack

Darktrace email finds: IT impersonation attackDefault blog imageDefault blog image
24
Jul 2020
24
Jul 2020

Type of attack: Payload delivery; Impersonation

Organization: Charity, US

Time and date: 2020-06-11 07:05 UTC

Mailboxes: <5000

Cyber-criminals often profit from a climate of uncertainty and fear, as it can make people act in haste and ignore warning signs. COVID-19 has created an environment perfect for scammers looking to exploit human error. Spoofing IT departments’ emails is a popular method of social engineering in email attacks. It relies on employees’ tendency to follow orders from authority figures with little or no hesitation. This is further compounded by the increase in work from home and greater reliance on remote interaction with IT support.

Figure 1: A snapshot of Antigena Email’s user interface

Sender information

The attacker had disguised the address field to resemble the organization’s IT department.

Apparent motive

The emails contained a link which Darktrace’s AI identified as an 100% rare domain, indicating no devices across the organization had ever previously accessed it. The links also contained the recipients’ email addresses, suggesting that it led to a fake login page intending to trick an employee into inputting sensitive data.

Figure 2: The anomalous link in question

Antigena Email’s actions

Delivery action: Hold message

Antigena Email took its strongest action on this incoming email campaign, preventing the emails from reaching any recipients.

Why did this attack bypass other email security solutions?

Spoofing involves fixing some visual aspect of the email headers. Attackers use this technique to make an email appear as if it came from someone recognizable, such as an IT department or company executive. In this case it was enough to fool the existing security solutions, and could have fooled a recipient into clicking the link and entering their credentials had Antigena Email not been installed.

More in this series:

No items found.

Like this and want more?

Receive the latest blog in your inbox
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
INSIDE THE SOC
Darktrace cyber analysts are world-class experts in threat intelligence, threat hunting and incident response, and provide 24/7 SOC support to thousands of Darktrace customers around the globe. Inside the SOC is exclusively authored by these experts, providing analysis of cyber incidents and threat trends, based on real-world experience in the field.
AUTHOR
ABOUT ThE AUTHOR
Dan Fein
VP, Product

Based in New York, Dan joined Darktrace’s technical team in 2015, helping customers quickly achieve a complete and granular understanding of Darktrace’s product suite. Dan has a particular focus on Darktrace for Email, ensuring that it is effectively deployed in complex digital environments, and works closely with the development, marketing, sales, and technical teams. Dan holds a Bachelor’s degree in Computer Science from New York University.

USE CASES
No items found.
PRODUCT SPOTLIGHT
No items found.
COre coverage
No items found.
This Article
Darktrace email finds: IT impersonation attack
Share
Twitter logoLinkedIn logo

Related Articles

No items found.

Good news for your business.
Bad news for the bad guys.

Start your free trial

Start your free trial

Flexible delivery
You can either install it virtually or with hardware.
Fast install
Just 1 hour to set up – and even less for an email security trial.
Choose your journey
Try out Self-Learning AI wherever you most need it — including cloud, network or email.
No commitment
Full access to the Darktrace Threat Visualizer and three bespoke Threat Reports, with no obligation to purchase.
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

Get a demo

Flexible delivery
You can either install it virtually or with hardware.
Fast install
Just 1 hour to set up – and even less for an email security trial.
Choose your journey
Try out Self-Learning AI wherever you most need it — including cloud, network or email.
No commitment
Full access to the Darktrace Threat Visualizer and three bespoke Threat Reports, with no obligation to purchase.
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.