At Deeptree, we see a lot of phishing emails. And let’s face it, these days, so do you. Gray Raven, our security team here at Deeptree, is putting the finishes touches on writing up a report on the one of the most aggressive phishing campaigns we’ve seen conducted in Alaska. But while we wait for that, we can certainly share several key lessons on how to protect against phishing attacks.
One of the things we want to call out is that there are two fundamental categories of protection against phishing. The first is the technical controls we know and love. Technical things like DKIM and SPF, spam/phishing protection, and more. Something that the staff at Deeptree know how to implement. But what happens when an otherwise shady email comes from an account you know? That’s where the second class of controls comes in. We call that the skeptical mindset.
Attackers seek to exploit our habits and social expectations to achieve their objective: the click. It’s all about getting their target to click on a link and follow their instructions – usually to download a file or open a document.
Here’s a list of the typical tropes we see from attackers.
The Familiar Yet Kind of Off Email
This attack comes in a phishing email where the attacker purports to be someone the target knows. There are levels to this attack. At the basic level, it may be information collected via social media. It may be, and we have seen this very much used in the campaign we saw in 2022, that they have compromised the account and are now replying to previously sent messages.
In this format – the attacker will use the social proof of the name and relationship of the person they are pretending to be. Sometimes they steal the contents of the email thread and reply to it as a phishing email. Clever. But more often than not, the language will lack the familiar and cordial tone we expect from the sender.
And there’s the red flag. Something’s off. So what should you do?
The best answer to this is to leverage the strength of your relationship. Instead of following the instructions or replying to the email, we recommend calling or texting that person. Just share with them that you’ve received a weird email from them, and before you do anything, you want to make sure it’s legitimate. You might be the person that helps them figure out if something happened to their email. Friends helping friends. Isn’t that what life is all about?
Many organizations also can report suspicious emails for further analysis. We highly recommend doing so if you are able. And if you don’t have someone to send it to, that’s certainly something we can help you with.
The Apropos-of-Nothing Email
Another common approach is for an attacker to send a phishing email masquerading as a buyer, vendor, or authoritative figure. For example, they may send or offer to send a fake spreadsheet with potential clients, an invoice, or a cease and desist letter.
The first alarm, of course, is that emails without sufficient pretext are likely up to no good. It’s often easy to ignore emails pretending to include a request-for-proposal (RFP) or bid request. It’s often more difficult to ignore an email pretending to be legal action. We’ve seen them. And some of them are really good.
So what should you do?
If there’s an attachment (often Excel, OneNote, or PDF) – we recommend VirusTotal. VirusTotal (https://www.virustotal.com) is a Web site where you can take an attachment, a file, or even a Web site address, plug it in, and receive a determination from every anti-virus product on the market. Simply grab that attachment and drag it from your email right into the middle of their page, agree to the terms, and let it analyze for you.
Pay special attention to the results! Not every anti-virus detects in the same way or catches the same things. We saw a novel attack where a targeted email was sent to an executive that only one anti-virus vendor detected it as malicious. Fortunately, our analysts knew it for what it was so there was no confusion. So if there’s any red in the results – we recommend following the steps described in the first section. Then, get it over to your friendly cybersecurity professionals for further analysis and triage.
What if I Clicked?
We have all clicked. And we will all click again. Emails are meant to be read, links are meant to be followed, and attachments are meant to be opened. These things will happen despite all the automation, protection, and phishing training. To err is human.
The most important part is what comes next.
Let someone know that you opened a phishing email. The sooner you engage your security professionals, the better the chances the progression of the attack can be intercepted and the damage undone. Attackers must spend a period of time doing research prior to moving forward with their attack. They need to know what kind of network they are operating on, what technologies are used, and how best to avoid detection. They may try for a smash-and-grab operation – which will be easier to detect. Or they may try to be subtle and slowly move through the network. And while they can try to hide, all malware must run. When it’s run, it’s detectable in one form or another. As long as things haven’t reached a boiling point – there’s always hope. But hope is a curious thing. The amount of hope available is directly proportional to how quickly the professionals can get engaged. The sooner the better. So don’t be afraid to ask for help.
From the rookery at Deeptree,
P.S. Don’t forget to Like and Follow Us on Facebook.