Over the past 48 hours, we have been tracking a significant uptick in a significantly more sophsiticated version of the business email compromise attack that has been making the news of late. Across a number of our clients, the GreatHorn platform has directly identified and interrupted these attacks – and in this post, we’re going to take a look at how these emails are being constructured, and how to protect yourself.
Understanding The Multi-Stage Business Email Compromise
The classic “business email compromise” attack relied on three things:
- Impersonation of a senior executive, via email
- Delivery to an individual with access to financial or data resources
- A direct call to action, such as, “please wire money to this account”, with a routing number included
Recently, however, we’re seeing a modification to the third point. Specifically, we’re seeing the impersonated email not ask for a wire transfer directly, but rather, communicate that a confidential deal is underway, and that the recipient should expect a call from their organization’s outside counsel:
This is an example of the kind of message that we’re seeing. We’ve changed the sender and recipient to our own domain for the purposes of this blog, but the message is otherwise the same as a real attack.
Not that this message was entirely fraudulent — it was sent via a custom Python script, designed to exploit the core vulnerabilities of SMTP, to deliver an email to an individual inside of our company as though it came from me.
There are three major variants of this attack:
- For domains without strong mail authentication enabled, messages can be sent that directly spoof the sender’s From: and Return-Path: fields; since the actual attack will come via a phone call, the attacker doesn’t need to rely on intercepting a reply.
- Alternatively, for domains with SPF and DKIM enabled, but not DMARC, a seemingly valid third-party domain will be set up — “securemail.com” is an example here — and used as the return-path. The attack message can pass SPF (because SPF here is checked against the return-path), and absent DKIM, the message will be delivered.
- Finally and most significantly, even for domains with DMARC enabled, a look-alike domain, such as “greathorn.cm” vs “greathorn.com”, will be used to deliver the message; this secondary domain often has valid SPF/DKIM/DMARC of its own, ensuring delivery.
There’s no obvious indicator that this is a business email compromise attack, but GreatHorn picks it up immediately:
In this example, the GreatHorn Email Security Platform is calling out three items that are otherwise invisible to the recipient:
- Sender Anomaly Score is in the critical”, because [email protected] never emails from this IP address; this score is drawn from GreatHorn’s proprietary, patent-pending detection and analysis system, comprised of data that no other organization in the world has access to, representing solely enterprise-grade security data
- The Authenticity Risk score is low-moderate, because there is no DKIM signature here; under normal circumstances, we would expect to see this as present (thus the “highly unusual” designator)
The Return Path Sender Score for the originating domain is 79, indicating risk in the email’s IP sending domain, something that is otherwise impossible to ascertain
- At a glance, through this detail, an information security team can identify that this message represents a sophisticated attack — and since the “payload” will come via a phone call, detecting and alerting on this in realtime is essential.
How to Defend your Organization
We have three specific suggestions for protecting against this kind of attack:
- Set up SPF and DKIM, and ensure that all of your (valid) mail is at least being signed properly
- Enable a realtime, post-delivery security platform that can complement your email provider and/or email gateway
- Implement strong authentication and DMARC across all of the domains you own, blocking direct spoofing
With over $2.3b in financial loss over the past 18 months alone related to this kind of attack, the only option you can’t afford is to do nothing. Across the GreatHorn customer base, we’re seeing a dramatic increase in the number and sophistication of business email compromise, spear phishing, and whaling attacks — the examples above representing only the latest variant of an ever-changing set of threats.
We’d love to hear from you, and if you’re ready to protect your company from attack, GreatHorn can be deployed in just 15 minutes, providing comprehensive inbound mail protection. Request your free security check and setup here: