The Ongoing Threat Posed by Phishing
Phishing remains the number one vector for malware to enter an organisation’s network, and despite greater awareness of these scams, Business Email Compromise is still causing significant financial loss for businesses globally.
Typical phishing (spear-phishing and whaling) attacks often attempt to spoof a sender and use a forged email address. The subject lines or messages are frequently meaningless or contain poor spelling and grammatical errors that immediately raise suspicion. These types of campaigns rely on an end-user being either uneducated, distracted, busy or stressed. Whilst there are still plenty of these basic phishing campaigns around, we would like to highlight that phishing has and will continue to become more sophisticated and more targeted.
An example of a phishing attack method that is becoming more common and is harder to spot are email reply chain attacks. In an email reply chain attack, the attacker first takes over an email account. Email account takeover is achieved either via an earlier compromise and credential dump or through credential stuffing and password-spraying techniques. Once the attacker has access to one or more email accounts, they monitor ongoing conversation threads for any opportunity to send malware (e.g. Emotet, Qakbot etc) to the conversation’s participants. Attackers will often utilise VBScript or PowerShell through Office Macros to deliver this malware.
Email reply chain attacks are more difficult to detect and much more successful than traditional phishing as the attacker does not need to spoof someone else’s email address (as the email is commonly sent from a genuine email account). In addition, trust is already established between the email participants as a conversation has been ongoing. As the attacker has observed the preceeding conversation, they can also insert a malicious thread that fits the context of the discussion and does not appear out of place. This scenario means the likelihood of the attack being successful increases.
To avoid detection, attackers will do one or more of the following:
- Set up and use an alternate inbox to receive messages by configuring email account rules to route particular messages away from the usual inbox and into a folder that the genuine account holder may overlook or not suspect (such as Trash)
- Configure email forwarding rules to forward mail from specific recipients to another account
How to prevent falling victim to an email reply-chain phishing attack:
- Enable Multifactor Authentication
- Ensure strong password policies are enforced
- Encourage users to regularly check their email account setting for unusual rules or settings
- Disable macros use wherever possible
- Continue to educate end-users about these types of attacks
Microsoft recently outlined an extended version of this threat whereby the attackers compromise email accounts, extend their foothold within a business using lateral phishing and outbound spam, and finally connect an unauthorised device to the network to propagate the attack further. This attack version takes advantage of the current environment where BYOD and remote working has become business as usual. However, to thwart the second stage of this attack, an organisation merely has to ensure that MFA is enabled.
We believe these more evolved and multi-stage attacks involving reply chain phishing attacks will continue to rise.
About the Bulletin:
The NZ Incident Response Bulletin is a monthly high-level executive summary containing some of the most important news articles that have been published on Forensic and Cyber Security matters during the last month. Also included are articles written by Incident Response Solutions, covering topical matters. Each article contains a brief summary and if possible, includes a linked reference on the web for detailed information. The purpose of this resource is to assist Executives in keeping up to date from a high-level perspective with a sample of the latest Forensic and Cyber Security news.
To subscribe or to submit a contribution for an upcoming Bulletin, please either visit https://incidentresponse.co.nz/bulletin or send an email to bulletin@incidentresponse.co.nz with the subject line either “Subscribe”, “Unsubscribe”, or if you think there is something worth reporting, “Contribution”, along with the Webpage or URL in the contents. Access our Privacy Policy.
Subscribers to the premium edition also obtain access to the following additional information:
- Cyber Governance
- Cyber Incident Landscape
- Cyber Incident Response Resources
- Cyber Framework and Control Updates, Surveys and Research
Click here if you wish to subscribe to our Premium Edition of the Bulletin.
This Bulletin is prepared for general guidance and does not constitute formal advice. This information should not be relied on without obtaining specific formal advice. We do not make any representation as to the accuracy or completeness of the information contained within this Bulletin. Incident Response Solutions Limited does not accept any liability, responsibility or duty of care for any consequences of you or anyone else acting, or refraining to act, when relying on the information contained in this Bulletin or for any decision based on it.
Incident Response Solutions 