BEC attack identified; mimics Doodle poll to “reschedule” board meeting

BEC attack identified; mimics Doodle poll to “reschedule” board meeting

On January 31st, GreatHorn’s threat response team identified a widespread business email compromise campaign targeting senior executives claiming to be a Doodle poll required to reschedule an upcoming board meeting. The attack links directly to a well constructed Office 365 credential theft site.

Purporting to be from the CEO of an organization, the phishing attack claims that a planned board meeting needs to be rescheduled and requests participation in a poll to identify a new date.

The attack appears to be hitting multiple senior executives (e.g. CEOs, CFOs, CTOs, SVPs) within an organization and has been found present across multiple industries and organization sizes, always direct spoofing (i.e. using the same “from” email address as the “to” email address) with a display name of “Meetings” and subject line / content personalized to the targeted company.

Importantly, on a mobile device, the native Outlook client overwrites the display name to say “Note to self,” further complicating the attack and making it even more likely for a recipient to interact with it. While some of these messages were sent to Microsoft’s “Junk” folder, they remained accessible to end users, leaving them vulnerable to the attack. As of 3:20pm, the destination site remained up and unidentified by browsers as a malicious site.

The attack was found (and eliminated) in 14% of GreatHorn’s customer base. In addition to blacklisting the domain, GreatHorn correctly identifies the destination as suspicious in its Link Protection module.

The GreatHorn security team is currently monitoring this attack and providing automated support to clients.

Currently, here is what we know about this attack:

  • The initial point of infection is via a phishing email sent to senior executives with a display name of “Meetings” and their own from address.
  • The subject line is consistently New message: [Company Name] February in-person Board Mtg scheduling (2/24/19 update)
  • The email appears to be a Doodle poll but actually links to an Office 365 credential theft site, with a primary domain ending in

GreatHorn Security Response:

  • All attack emails within GreatHorn’s customer base have been removed from customer inboxes.
  • All customers of GreatHorn Email Security can rest assured that this destination has been added to GreatHorn’s blacklist, ensuring that all future emails will be blocked

We are continuing to monitor for evidence of this malware and will provide additional information and remediation support as our investigation continues.

If you have any questions or concerns, please feel free to contact the GreatHorn team at [email protected].

Malicious URLs: How Protected Are You?

Malicious URLs: How Protected Are You?

Few angles make for a better email-borne attack than the impersonation of a trusted service. Organizations such as Microsoft, Google, Bank of America, Citigroup, DocuSign, Dropbox, FedEx, UPS, and countless others are brands recognized throughout the world that host or access trusted financial data, personally identifiable information, confidential data, and other exploitable content desired by criminals.

Better yet for attackers, these organizations frequently send a variety of notifications: updated terms of service, account changes and alerts, new documents being shared, etc. Recipients don’t just trust these brands, they’ve been conditioned to expect email notifications from these companies. As a result, they often interact with emails from trusted brands without giving as much thought to it as they might take with an email from a stranger. This provides a ripe environment for attackers to exploit.

These types of emails are often attempting to gain any number of different pieces of information: names, addresses, social security numbers, account numbers, routing numbers, but what is commonplace at nearly every organization are credential theft attempts by way of a fake notification email like one of the aforementioned. Attackers have realized the value of these credentials; with password reuse as rampant as it is, one password could be the key to everything from a corporate account to a personal email account to a bank account, and even without widespread reuse of the password, email addresses are the most common means of resetting passwords for every other account a person utilizes.

There are a number of ways to detect and prevent these types of attacks, but detection and prevention specifically based upon analysis of URLs (and to a lesser extent attachments) has been viewed as a central component to email security technologies for some time now. This is not nearly as infallible as many would be led to believe and when the system gets it right, everyone sleeps soundly, but there are a number of these payloads still reaching end users precisely because of the shortcomings of the specific analytical approach taken and end users are then left to their own devices to figure out which URLs are safe and which are not.

Over time, attackers have become craftier and craftier in their approach to these emails meaning the payloads getting through are more and more pernicious. Regardless of who or what business service might be spoofed by an attacker, destination URLs are often “hidden” behind hyperlinked text (e.g. “Click here”), made to look like a common file share URL, or are even legitimate file sharing URLs. Because of this, they can be difficult to spot and identify as unsafe. Coupled with users’ inherent level of trust with these respected brands (or members of their organization) and the sense of urgency an attacker creates (Data will be deleted in the next 24 hours if you do not take action!), users often feel compelled to do exactly as the URL advises: they click.

Many existing email security solutions are heavily reliant on threat intelligence feeds to identify these URLs as malicious at the time of delivery. While undeniably useful, threat intelligence has its shortcomings. It goes without saying, but someone need be the first (or possibly second, third, fourth, fifth…) victim before the URL can be classified as malicious and that intelligence can be disseminated. Other solutions stop short in performing their analysis on the full URL but instead focus only on the root domain. The idea is that, given their available dataset coupled with their threat intelligence and other data feeds, malicious URLs are bound to be spotted based solely on being anomalous. This, of course, ignores the fact that web certificates do expire or that attackers can hijack otherwise innocuous websites through other means, they can utilize URL shorteners, redirects, and a host of other means that ultimately obfuscate the true intent of the destination page of the attacker’s URL.

GreatHorn recently identified a fairly compelling example of a business services impersonation email in one of our client environments that would have almost certainly bypassed many of these existing methods of detection. The message appeared to be from business service provider LogMeIn, which makes a suite of popular access and communications products, including GoToMeeting and LastPass among others. As anyone familiar with LogMeIn can see here – save for the font – the notification was exceptionally close in appearance to a real LogMeIn notification email. There was a link in the message purportedly leading the user to a LogMeIn account login page where “6 months of free subscription” awaited him.

In this instance, the attacker utilized a domain for the URL ( similar enough to LogMeIn’s actual domain ( that it would likely pass as legitimate to an end user’s eye test. At the time of attack, the URL in this email was not showing up on dozens of threat intelligence feeds and the root domain of the URL redirected to a Google search page showing results for a LogMeIn-related search. With threat intelligence coming up blank, if a solution were to check the root domain, it would ultimately find a legitimate Google webpage.

As is shown in this example, the term “detecting malicious URLs” can be misleading. This particular email, at least in regard to the URL, could easily have bypassed any number of security solutions if they used one of the above approaches. With attackers getting more savvy, it’s important for security teams to ensure that their link protection options are robust enough to protect them from attacks.

We recently announced GreatHorn Link Protection – a new turnkey module that’s available as a core component of our email security platform. In addition to all the proprietary threat detection techniques we use that would flag a message such as this as a concern, GreatHorn Link Protection provides multiple levels of protection regardless of the URL’s presence on our threat intelligence feeds.

Stay tuned for more blogs on GreatHorn Link Protection, but in the meantime, you can learn more about GreatHorn’s Malicious URL capabilities here. Also consider checking out our recent blog on the recent rise in business service impersonations to learn more about real-world credential theft attempts.

By the Numbers: Understanding the Phishing Threat

By the Numbers: Understanding the Phishing Threat

Infographic of 2018 email security benchmarkToday, after 4 decades in existence, and more than 25 years’ worth of consistent, daily use, email remains the most reliable, ubiquitous, and constant communication platform for both personal and professional interaction. As users, we may grumble about its ubiquity or its misuse, but we have an inherent trust in email bred from familiarity and functionality.

So it’s of little surprise that email has also become the single largest platform for Internet Crime, at least as reported by the FBI in its annual Internet Crime Report. Business email compromise alone represents 48% of the reported $1.4B financial losses from Internet crime in 2017. That’s 10x more than the reported losses from identity theft, and 3x more than the second most lucrative Internet crime technique (confidence fraud / romance).

Defined by the FBI as “sophisticated scams [that] are carried out by fraudsters compromising email accounts through social engineering or computer intrusion techniques to conduct unauthorized transfer of funds,” business email compromise is just one of many email-based threats facing organizations today.

So why are such scams so successful? In June, GreatHorn conducted a survey of 300 business professionals – most of whom were involved in email security in some way – to understand the current email security involvement. We benchmarked threat frequency, prevalence, types, defenses, and remediation requirements to see what kind of patterns we could find.

As you see in this infographic, we found a number of clues that pointed to the root cause behind the success of social engineering scams such as business email compromise and other spear phishing techniques.

For example, we learned that the “average” user either doesn’t recognize email threats for what they are or they dismiss it under the rather innocuous heading of “spam.” We know this because two-thirds (66%) of average users could not recall seeing any of the following email threats in their inboxes:

  • Executive or internal impersonations
  • External impersonations (e.g. customers, vendors, partners)
  • Wire transfer requests
  • W2 requests
  • Payload / malware attacks
  • Business services spoofing (e.g. ADP, Docusign, UPS)
  • Credential theft

And yet when asked the same question (explicitly about what reaches inboxes, not a quarantine folder), 85% of respondents that had some involvement in email security indicated that one or more of those threats was hitting inboxes.

That discrepancy demonstrates a dangerous perception gap within organizations – the exact perception gap that criminals exploit. We’ve moved beyond the easy-to-spot Nigerian prince schemes of yesteryear. Sure, there are still mass phishing attacks that are easy-to-spot, but such attacks in some ways increase the danger precisely because they are so easy to see. The user quickly identifies them as a danger, dismisses them as obvious, and pats themselves on the back for being perceptive enough to see them.

That self-congratulatory complacency may lead to an inability to recognize the real threats – the highly targeted, sophisticated, and well planned attacks that uses social engineering and research to replicate, impersonate, and redirect “real” communication. Our research indicates that most existing email security solutions are failing to catch impersonations (nearly half of our respondents – 46% – report impersonations; including 64% of email security professionals). Such emails often come without obvious triggers such as an attachment or even a link – they use urgency (5pm on a Friday), conciseness (typically just a couple of sentences), seniority (often impersonating a superior), and fear to drive the desired outcome. That’s why it makes sense that impersonations are the email threat that email security pros worry most about.

More concerningly, our study indicates that 1 in 5 organizations have to take some kind of significant remediation action (e.g. suspending compromised accounts, PowerShell scripts, resetting compromised third-party accounts, etc.) on a weekly basis as a result of email threats that bypassed their security defenses. And on average, our panel deployed approximately three separate security tools to protect their environment from email threats.

Given the remediation requirements, it’s no wonder, however, that 56% reported major technical issues with their email security solution today, including:

  • “Doesn’t stop internal threats (e.g. if a user account is compromised)” – 35%
  • “Missing payload attacks” – 16%
  • “Missing payload-free attacks (e.g. impersonations, social engineering)” – 20%
  • “Weak or no remediation capabilities” – 19%
  • “Negative impact on business operations (e.g. too many false positives)” – 21%

We’ll dive more into the challenges with today’s common email security platforms and our results in upcoming blogs. In the meantime, however, we’d love to hear what you think. What do these numbers mean to you?

Want to download the full report? You can do so here.

4 Myths About Email Security

4 Myths About Email Security


There’s no debate that phishing attacks are on the rise. In fact, 90% of data breaches start with a targeted email attack. However, relying on legacy email security tools simply does not work when faced with the trifecta of business email compromise, malicious URL delivery, and malware/ransomware attacks. Modern cloud email platforms require a modern email security solution that can protect against spear phishing and social engineering attacks.

Here are four common misperceptions or “myths” about email security and a brief explanation to dispel them.

1. Microsoft or Google Will Fix It – Two tech giants in charge of billions of corporate mailboxes will surely find a solution to spear phishing, right? Both Microsoft and Google do a tremendous job addressing the security challenges presented by their own infrastructure such as data loss from someone hacking into a server or stealing information from a physical data center.

Think of Microsoft and Google as property management companies for a residential building. They can try to secure the property by installing cameras and modern entry systems but if a tenant gives their keys away and has their condo robbed, there’s not much they can do. Phishing will always be the purview of individual businesses.

2. Our Secure Email Gateway (SEG) Will Protect Us – Email gateways have seen their efficacy erode as enterprise infrastructure has migrated to the cloud. SEGs route mail through their systems, analyze it to see if the emails are “good” or “bad,” and then deliver or block it. By making it a binary decision, these tools allow phishing emails to reach employees at an alarming rate. Cybercriminals craft their attacks with SEGs in mind knowing they have difficulty catching phishing or social engineering attacks.

3. Security Training Will Keep us Safe – Training is certainly a part of compliance but it has not proven to be effective at preventing data breaches. That’s because, according to a recent CSO article, ⅔ of inbound phishing attacks use a company’s own domain name in the ‘From’ field, making them extremely hard to detect. A well-crafted phishing attack delivered to the right person, at the right time will work regardless of the time, resources and effort invested in training them. Employees are soft targets.

4. We Haven’t Been Owned (Yet) – The phishing epidemic will continue — it has proven to be an extremely effective attack vector. And there is no such thing as a company that is too small or inconsequential to be the target of a cyber attack. The Ponemon Institute hammered that point home when they unveiled research that showed there was a 27% probability that a US company will experience a breach in the next 24 months that costs them between $1.1 million and $3.8 million. Just because a cyber criminal hasn’t tested your business’ email security posture yet does not mean you shouldn’t be ready when the time comes.

Learn more about these common misperceptions in our most recent webinar, 4 Reasons Why It’s Time to Rethink Email Security. Also hear GreatHorn CEO Kevin O’Brien explain how targeted phishing attacks work, how they’re evolving and what can be done to protect important assets from business email compromise.

If Even Top White House Officials Are Falling for Spear Phishing Emails, What Hope Do the Rest Of Us Have?

If Even Top White House Officials Are Falling for Spear Phishing Emails, What Hope Do the Rest Of Us Have?

Last night, news broke that Homeland Security Adviser Tom Bossert was fooled by a spear phishing email impersonating the president’s senior advisor, Jared Kushner. After “Kushner” — in reality, the sender of the email was self-described “lazy anarchist” @SINON — REBORN — invited him to a party, Bossert replied with a friendly note and volunteered his personal email address.

Bossert isn’t the only White House official to fall for SINON’s tricks: using a email address, the prankster targeted ex-communications chief Anthony Scaramucci with messages purporting to come from former chief of staff Reince Priebus, and Jon Huntsman, who is Trump’s pick for U.S. Ambassador to Russia. In both cases, Scaramucci took the bait and replied; Huntsman himself, along with Trump’s son Eric, were also fooled by the phishing scheme.

That the impersonations were successful at all point to serious flaws in the White House’s cybersecurity posture. Government officials are high-profile targets who have certainly been trained on cybersecurity best practices, and the White House is one of the most protected locations on Earth — if targeted phishing is effective even in this highly secure environment, it’s further confirmation that something is very seriously wrong with the current state of email security.

The Implications of a Successful Phish

Targeted social engineering attacks like this one — phishing, business email compromise, and impersonation — have become the single most effective attack type in the world.

Earlier this year, we at GreatHorn conducted a survey of the threat landscape across approximately 115,000 mailboxes from our clients, comprising nearly 375 million messages. Our focus in conducing this research (published in the 2017 Cloud Email Report) was to establish a baseline of how many suspicious, anomalous, and potential phishing emails were received by our client base. The results are sobering: out of those 375 million messages, approximately 0.016% were statistically anomalous in a significant way, containing indicators of phishing threat.

Mail without a classically malicious payload — typical of today’s whaling, business email compromise, and spear phishing attacks — can be devastatingly effective in the theft of sensitive data, intellectual property, and (of course), money. An FBI Public Service Announcement published in May puts the financial losses of business email compromise scams at over half a billion dollars annually, and warns that the volume of attacks is only going up.

Why Can’t We Stop Getting Owned — And What Should We Do About It?

Three key trends are driving modern threat:

The rapid adoption of cloud infrastructure, particularly cloud email like Microsoft’s O365 and Google’s G Suite.

Email has perhaps changed the most of any system used on a daily basis by the modern workforce. Since 2012, the landscape for email infrastructure has shifted dramatically towards cloud — Microsoft Office 365 and Google G Suite dominate this space — but legacy security solutions like Secure Email Gateways (SEGs) have been slow to adapt to these newer platforms.

SEGs offer only single-point-in-time protection, meaning that they provide no visibility or control over threats that successfully bypass the perimeter, and they struggle to detect deception-based social engineering threats like those involved in the White House prank, leaving users vulnerable to the most difficult-to-detect types of threats.

Cloud email providers themselves also struggle to stop targeted phishing attacks. If your organization was one of the many hundreds of thousands of recipients of the Google Drive phishing attempt that hit the world’s businesses in May, or the subsequent Docusign data breach and phishing attempts, you likely saw that even Google and Microsoft were not able to block every instance of these messages.

The demonstrable inefficacy of security awareness training programs.

Many organizations attempt to bridge the gap left by insufficient security technologies through security training programs, which include “realistic” fake emails that chastise users who click on an embedded link, automated video trainings, and Outlook plugins that require that users self-report phishing attempts.

Unfortunately, while training is helpful (and an important part of many compliance strategies), it’s been proven ineffective. Forrester ran a study of a wide range of organizations which had experienced a security breach; statistically, there is almost no difference in breachability correlated to the use of these types of training programs.

The pervasiveness of email, the proliferation of self-owned devices,and the always-on-nature of modern work makes it impossible forpeople to be constantly vigilant. There’s no way to transform peopleinto hard targets for hackers; they’re all soft.

An unprecedented lack of trained information security talent.

Last but not least: cybersecurity has a capacity problem.

Today, there are at least 1 million unfilled information security analyst jobs, and the number is expected to rise to between 1.5 and 2 million by 2020. Over a quarter of all organizations surveyed report that that simply cannot fill their open positions at all.

The result is that information security teams are understaffed like never before, and this critical skills shortage has played a significant role in the increasing distance between how little time it takes an attacker to work their way past cybersecurity defenses, and how long it takes for those incursions to be detected and remediated.

Since neither end-user training nor information security analyst teams can keep up, what can we do to protect ourselves?

Automation Is the Only Way to Keep Up

What’s needed is an entirely new way of stopping these attacks — automatically, and at scale.

Research findings from the 2017 Cloud Email Security Report show that a 50,000 person organization can expect to field thousands of phishing threats per week — and that time spent investigating and (if applicable) remediating them can add up to hundreds of hours.

Reducing time to detection and response is the goal for the modern information security operations center, from establishing a baseline of visibility and control to measuring the reduction of risk with, is clearly a priority for the White House. As the May 2017 Executive Order on on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure notes, one of the key goals of the current administration is for the selection and implementation of “risk management measures commensurate with the risk and magnitude of the harm that would result from unauthorized access, use, disclosure, disruption, modification, or destruction of IT and data.”

In accomplishing this mission, automation techniques are increasingly being looked to as one of the core capabilities available to organizations in the pursuit of identifying and reducing the potential for harm from these types of attacks.

Doing so will require dedicated technological resources, with deep automation workflows, to aid in the detection of patterns and anomalies that humans might otherwise miss. Until such systems are in place, a simple consumer email address a penchant for mischief may be all that stands between our most sensitive personnel and an increasingly dangerous digital world.

Subscribe to the GreatHorn Blog

We'll email you when we publish new content, but we'll never spam you or share your information.