Blog

No items found.

Darktrace email finds: Two WeTransfer impersonation attacks caught by AI

Darktrace email finds: Two WeTransfer impersonation attacks caught by AIDefault blog imageDefault blog image
30
Jul 2020
30
Jul 2020

In recent months, Antigena Email has seen a surge in email attacks claiming to be from file sharing site WeTransfer. These attacks attempt to deploy malware into the recipient’s device and further infiltrate an organization.

This is a common technique deployed by attackers, who find success in masquerading behind the trusted brand of well-known SaaS vendors. We’ve seen similar attacks recently with both QuickBooks and Microsoft Teams.

Incident one

This email was directed at an employee in the accounts department of a financial services organization in the APAC region.

100%

Mon Jun 15 2020, 03:14:30

From:wetransfer <noreply@noreply.com>

Recipient:Sun Jen <sun.jen@holdingsinc.com>

We sent you an invoice via WeTransfer

Email Tags

Suspicious Link

New Contact

Actions on Email

Double Lock Link

Move to Junk

Hold Message

Figure 1: An interactive snapshot of Antigena Email’s user interface

The subject line of this email – “We sent you an invoice via WeTransfer” – is typical of a solicitation attack. Hidden behind a button reading ‘Get your files’ was a webpage that contained malware but displayed a login page. If a user entered their username and password in an attempt to access this ‘invoice’, the malware would harvest their credentials and send them to the attacker.

Figure 2: The fake login page, branded as Microsoft Excel, which would have likely sent the credentials to a spreadsheet controlled by the attacker

This attack bypassed the other security tools in place, but was detected by Antigena Email due to a number of anomalies that when stitched together unmistakably reveal a threat.

Figure 3: Antigena Email’s dashboard reveals key metadata behind the email

Critical for Antigena Email’s detection of this attack was that the email contained an anomalous link. It would be highly unusual for WeTransfer to link to SharePoint – a direct competitor – in their emails. The AI also recognized that neither the employee in the accounting department nor anybody else in the organization had previously visited the domain in question, and deemed this email as 100% anomalous. These, and other characteristics, of the URL gave Darktrace’s AI reason to tag this email with the ‘Suspicious Link’ tag, prompting Antigena Email to double lock the offending link and hold the message back from the recipient’s inbox.

Incident two

A second incident leveraging WeTransfer’s name was detected just a week later at a law firm in Europe. This email was more sophisticated and even more convincing, appearing to come from the legitimate WeTransfer domain. However, it still set off over a dozen models, again prompting Antigena to lock links and hold the email back.

100%

Mon Jun 22 2020, 08:25:17

From:wetransfer <noreply@wetransfer.com>

Recipient:George Todd <george.todd@skirrowservices.com>

We sent you an invoice via WeTransfer

Email Tags

Spoofing

Suspicious Link

Spoofing Indicators

Moderate Communication History

Wide Distribution

Actions on Email

Lock Link

Double Lock Link

Move to Junk

Hold Message

Figure 4: An interactive UI snapshot of the second email

This attack went a step further. Whereas in the previous scenario the attacker simply changed the personal name, leveraging <noreply[.]com>, here the attacker has manipulated the headers to actually make the email appear to come from the WeTransfer domain.

Recent research unveiled at Black Hat this month indicates there could be as many as 18 different methods to mislead common email verification checks like Domain Keys Identified Mail (DKIM) and Domain-based Message Authentication, Reporting and Conformance (DMARC). Some of these techniques may be as simple as including two From lines in an email header, which may result in a mail server verifying the first From header while the email client displays the second From address. As a result, an email sent from an attacker’s mail server is verified as coming from a legitimate address; in this case <noreply@wetransfer[.]com>.

The familiarity of this apparent sender is reflected in the ‘Depth’ and ‘Width’ scores below of 19 and 47 respectively, indicating moderate communication history. However, Antigena Email reveals that the true sender is an unrelated and uncommon domain, and one that is unrelated to WeTransfer.

Figure 5: Analysis of the second email reveals that the host domain is unrelated to WeTransfer

Darktrace’s AI also detected two suspicious links within the email that were considered highly anomalous given previous communication between WeTransfer and the client (and importantly – the absence of a WeTransfer link!)

Figure 6: Two links in the email were considered highly anomalous and threatening

These unusual links combined with the recognition of a spoofing attempt prompted Antigena Email to deem this email as 100% anomalous and intervene, protecting the recipient — and business — from harm. Despite this second email attack employing more sophisticated attack methods, allowing it to evade legacy email tools and closely resembling a legitimate email, Darktrace’s AI was able to recognize an even wider array of indicators that prompted it to hold the email back.

Thanks to Darktrace analysts Thomas Nommensen and Andras Balogh for their insights on the above threat find.

More in this series:

No items found.

Like this and want more?

Receive the latest blog in your inbox
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
INSIDE THE SOC
Darktrace cyber analysts are world-class experts in threat intelligence, threat hunting and incident response, and provide 24/7 SOC support to thousands of Darktrace customers around the globe. Inside the SOC is exclusively authored by these experts, providing analysis of cyber incidents and threat trends, based on real-world experience in the field.
AUTHOR
ABOUT ThE AUTHOR
Dan Fein
VP, Product

Based in New York, Dan joined Darktrace’s technical team in 2015, helping customers quickly achieve a complete and granular understanding of Darktrace’s product suite. Dan has a particular focus on Darktrace/Email, ensuring that it is effectively deployed in complex digital environments, and works closely with the development, marketing, sales, and technical teams. Dan holds a Bachelor’s degree in Computer Science from New York University.

share this article
USE CASES
No items found.
PRODUCT SPOTLIGHT
No items found.
COre coverage
No items found.
This Article
Darktrace email finds: Two WeTransfer impersonation attacks caught by AI
Share
Twitter logoLinkedIn logo

Related Articles

No items found.

Good news for your business.
Bad news for the bad guys.

Start your free trial

Start your free trial

Flexible delivery
You can either install it virtually or with hardware.
Fast install
Just 1 hour to set up – and even less for an email security trial.
Choose your journey
Try out Self-Learning AI wherever you most need it — including cloud, network or email.
No commitment
Full access to the Darktrace Threat Visualizer and three bespoke Threat Reports, with no obligation to purchase.
For more information, please see our Privacy Notice.
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

Get a demo

Flexible delivery
You can either install it virtually or with hardware.
Fast install
Just 1 hour to set up – and even less for an email security trial.
Choose your journey
Try out Self-Learning AI wherever you most need it — including cloud, network or email.
No commitment
Full access to the Darktrace Threat Visualizer and three bespoke Threat Reports, with no obligation to purchase.
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

Check out this article by Darktrace: Darktrace email finds: Two WeTransfer impersonation attacks caught by AI