Blog

Dentro del SOC

Email

Bytesize security: Impersonation tactics fail to fool Darktrace AI

Bytesize security: Impersonation tactics fail to fool Darktrace AIDefault blog imageDefault blog image
24
Oct 2022
24
Oct 2022

Two of the most popular ways threat actors send malicious emails is through the use of spoofing and impersonation tactics. While spoofed emails are sent on behalf of a trusted domain and obscure the true source of the sender, impersonation emails come from a fake domain, but one that may be visually confused for an authentic one. In order to identify impersonation tactics in a suspicious email, we should first ask why an attacker might utilize an impersonation approach over spoofing.

In contrast to domain spoofing, which lacks validation and can be readily detected by email security gateway softwares, impersonation with a lookalike domain allows attackers to send emails with full SPF and DKIM validation, making them appear legitimate to many security gateways. This blog will explore impersonation tactics and how Darktrace/Email protects against them. 

There are two distinct ways to leverage impersonation tactics: 

1.     Impersonating the domain 

2.     Impersonating a real user from that domain  

Domain impersonation is often implemented with the use of ‘confusable characters’. This involves misspelling through the use of character substitutions which make the domain look as visually similar to the original as possible (eg. m rn, o 0, l  I). Threat actors can then also impersonate a real user by adding the the personal field of that user’s email to the new, malicious domain. Comparing impersonation emails with legitimate emails highlights how similar these malicious email addresses are to the real thing (Figure 1).

Figure 1- Email log that highlights the impersonated emails from “Mike Lewis” from the domain “smartercornmerce[.]net”. Along with the impersonated domain, the attackers attempt to impersonate the known user, “Mike Lewis” as well. The use of both distinct types of impersonation categorize the email as what Darktrace/Email refers to as a Double Impersonation email.

Figure 2- Email Summary details of one of the malicious double impersonation emails that was sent by the impersonated sender, “Mike Lewis” from “smartercornmerce[.]net”, that highlights the various anomaly indicators that Darktrace/Email detected, as well the various tags and actions it applied.

Darktrace/Email uses AI which analyses impersonation emails by comparing the ‘From’ header domains of emails against known external domains and generates a percentage score for how likely the domain is to be an imitation of the known domain (Figure 3).  

Figure 3- Darktrace compares the external sender, “mike.lewis@smartercornmerce[.]net”, with similar external names and domains that have been observed in different inbound emails on the network.


Impersonation emails are also detected via spoof score metrics such as Domain External Spoof Score and Domain Internal Spoof Score (Figure 4). 

Figure 4- Darktrace AI analyzed the malicious double impersonation email from Figure 2 and generated a high Domain External Spoof Score (100) and Spoof Score External (94)


Double Impersonation emails such as the one highlighted in Figure 2 are utilized by threat actors to gain the trust of the recipient and convince them to access malicious payloads such as phishing links and attachments. For example, the malicious double impersonation email from Figure 2 contained a suspicious hidden link to a Wordpress site which could have redirected the user to a phishing endpoint and tricked them into divulging sensitive information (Figure 5). The endpoint itself appears to lead unsuspecting recipients to a false share link posing as a payment-themed Excel file.

Figure 5- Details of the Wordpress link embedded in the suspicious email, which was hidden beneath display text to convince a user to click it without knowledge of where it would lead. The domain has a 100% rarity according to Darktrace AI.

Figure 6- Wordpress webpage that highlights another link for the user to click in order to be redirected to the invoice statement in a Microsoft Excel document.

Various indicators highlighted the webpage as suspicious and potentially malicious. Firstly, the use of ‘SmarterCORNmerce’ in the link to the webpage was at odds with the use of SmarterCOMMERCE throughout the page itself. The link also showed the invoice statement to be an Microsoft Excel file, despite the email suggesting it was a PDF document. Further investigation revealed the link to be associated with a Fleek hosting service and CDN (Figure 7), and that it redirected users to a fake Microsoft page. 

Figure 7 - Source code from the Wordpress webpage shows that the fake Microsoft link redirects users to a Fleek hosted page. This page may contain additional javascript content to download malware onto the user’s device.

As well as the domain spoof score metrics highlighted in Figure 4, Darktrace/Email analyses the suspicious payloads embedded in emails and generates scores to indicate the likelihood that a payload may be a phishing attempt.

Figure 8- Additional metrics for the double impersonation email that highlight the high phishing inducement score (96) for the email.

As the DETECT functionality of Darktrace/Email generates high scores metrics such as Domain External Spoof Score and Phishing Inducement, the RESPOND function will fire complementary models which then trigger relevant actions on the various payloads embedded in these emails and even the delivery of the emails themselves. As the impersonation email highlighted in Figure 2 impersonated not only the trusted domain but the known and trusted sender, Darktrace AI triggers the Double Impersonation model. Additional spoofing models such as ‘Basic Known Entity Similarities + Suspicious Content’ and ‘External Domain Similarities + Maximum Similarity’ were also triggered, indicating the high possibility that the suspicious email is a domain and user impersonation email sent by a malicious attacker.

Figure 9- The Email console highlights the different models the email triggered, including the Basic Known Entity Similarities + Suspicious Content and External Domain Similarities + Maximum Similarity model breaches and the various models that triggered significant actions in response to the potentially malicious impersonation email.


When Darktrace/Email detects a malicious double impersonation email, it responds by triggering a Hold action, preventing the email from appearing in the recipient’s inbox. Darktrace/Email’s RESPOND functionality could also take action against the suspicious link payloads embedded in the email with a Double Lock Link action. This will prevent users from attempting to click on malicious phishing links. Such actions highlight how Darktrace/Email excels in using AI to detect and take action against potentially malicious impersonation emails that may be prevalent in any user’s inbox. 

Though impersonation is becoming increasingly targeted and efficient, Darktrace/Email has both detection and response capabilities that can ensure customers have secure coverage for their email environments.

Thanks to Ben Atkins for his contributions to this blog.

More in this series:

No se ha encontrado ningún artículo.

¿Te gusta esto y quieres más?

Reciba el último blog en su bandeja de entrada
Gracias. Hemos recibido su envío.
¡Ups! Algo salió mal al enviar el formulario.
DENTRO DEL SOC
Darktrace son expertos de talla mundial en inteligencia de amenazas, caza de amenazas y respuesta a incidentes, y proporcionan apoyo al SOC las 24 horas del día a miles de clientes de Darktrace en todo el mundo. Inside the SOC está redactado exclusivamente por estos expertos y ofrece un análisis de los ciberincidentes y las tendencias de las amenazas, basado en la experiencia real sobre el terreno.
AUTOR
SOBRE EL AUTOR
George Kim
Analista SOC
share this article
PRODUCTOS DESTACADOS
No se ha encontrado ningún artículo.
Cobertura básica
No se ha encontrado ningún artículo.
Este artículo
Bytesize security: Impersonation tactics fail to fool Darktrace AI
Compartir
Twitter logoLinkedIn logo

Buenas noticias para su negocio.
Malas noticias para los malos.

Inicie su prueba gratuita

Inicie su prueba gratuita

Entrega flexible
Puedes instalarlo virtualmente o con hardware.
Instalación rápida
Sólo 1 hora de instalación - y aún menos para una prueba de seguridad del correo electrónico.
Elige tu viaje
Pruebe IA de autoaprendizaje donde más lo necesite, incluyendo la nube, la red o el correo electrónico.
Sin compromiso
Acceso completo al visualizador de amenazas Darktrace y a tres informes de amenazas a medida, sin obligación de compra.
For more information, please see our Privacy Notice.
Gracias. Hemos recibido su envío.
¡Ups! Algo salió mal al enviar el formulario.

Obtenga una demostración

Entrega flexible
Puedes instalarlo virtualmente o con hardware.
Instalación rápida
Sólo 1 hora de instalación - y aún menos para una prueba de seguridad del correo electrónico.
Elige tu viaje
Pruebe IA de autoaprendizaje donde más lo necesite, incluyendo la nube, la red o el correo electrónico.
Sin compromiso
Acceso completo al visualizador de amenazas Darktrace y a tres informes de amenazas a medida, sin obligación de compra.
Gracias. Hemos recibido su envío.
¡Ups! Algo salió mal al enviar el formulario.

Check out this article by Darktrace: Bytesize security: Impersonation tactics fail to fool Darktrace AI