Anatomy of a Phishing Attack: Rising Tide of Service Impersonation Spoofs

Anatomy of a Phishing Attack: Rising Tide of Service Impersonation Spoofs

As a member of GreatHorn’s Customer Success team, I have daily insight into threat patterns as they emerge across our customer base. While we always see a variety of threats (and some more than others), occasionally we see volumetric phishing patterns that result in temporary spikes in one particular type of threat.

Over the past several weeks, we’ve seen a huge spike in service impersonation attacks. In this blog, I’ll explain what these are, how they work, what to look for, and what you can do to prevent them.


Breaking: New phishing campaign targets Office 365 customers, masquerades as missed voicemail

Breaking: New phishing campaign targets Office 365 customers, masquerades as missed voicemail

This morning, on October 17th, GreatHorn’s threat response team identified an active, widespread phishing campaign using a range of impersonation techniques to deliver a “voicemail” alert to customers, linking to what appears to be a Verizon-branded PDF, hosted in either SharePoint or on free PDF hosting sites, containing links to credential theft attacks. Currently, the attack appears to be primarily hitting Office 365 customers, targeting multiple users within an organization, and has been found present across multiple industries and organization sizes, using different combinations of sender and subject lines.

Although we currently have only identified it in O365 environments, there is nothing to prevent this scheme from propagating to G Suite and other environments.

The GreatHorn security team is currently monitoring this attack and providing automated support to clients.

Currently, here is what we know about this attack:

  • The initial point of infection is via a phishing email from senders “[email protected]” and “[email protected]”. The email takes a number of different forms, including the example on the right, and  includes a link to a PDF that is currently being hosted on multiple compromised Sharepoint file hosting sites, as well as on free PDF hosting websites such as
  • The destination of the supposed voicemail link is a PDF, branded as a Verizon document, containing a second step URL that leads to a credential theft site designed to look like an Office 365 login:

PDF with Verizon-branded message linked to credential theft website

Credential Theft: Fake Office 365 login page

Our specific recommendations:

We are continuing to monitor for evidence of this attack, and will provide additional information and remediation support as our investigation continues.

As of October 17 at 11:51am EDT, neither the documents, the URLs where they’re hosted, nor the credential theft links themselves are being flagged by threat intelligence blacklists. While threat intelligence is an important part of any email security strategy, they are often ineffective at protecting against zero-day threats and phishing attacks.

If you have any questions or concerns, please feel free to contact the GreatHorn team at [email protected].

LIVE WEBINAR   |   NOV 1   |   2 PM ET / 11 AM PT

The Evolution of Phishing & How We Fight Against It

Join our November 1st webinar at 2pm ET, where dmarcian CEO Tim Draegen, the primary author and advocate of the DMARC standard, and GreatHorn CEO Kevin O’Brien will discuss how phishing tactics have evolved over the years and how email security approaches have had to change to keep up.

Register now!

By the Numbers: Understanding the Phishing Threat

By the Numbers: Understanding the Phishing Threat

Infographic of 2018 email security benchmarkToday, after 4 decades in existence, and more than 25 years’ worth of consistent, daily use, email remains the most reliable, ubiquitous, and constant communication platform for both personal and professional interaction. As users, we may grumble about its ubiquity or its misuse, but we have an inherent trust in email bred from familiarity and functionality.

So it’s of little surprise that email has also become the single largest platform for Internet Crime, at least as reported by the FBI in its annual Internet Crime Report. Business email compromise alone represents 48% of the reported $1.4B financial losses from Internet crime in 2017. That’s 10x more than the reported losses from identity theft, and 3x more than the second most lucrative Internet crime technique (confidence fraud / romance).

Defined by the FBI as “sophisticated scams [that] are carried out by fraudsters compromising email accounts through social engineering or computer intrusion techniques to conduct unauthorized transfer of funds,” business email compromise is just one of many email-based threats facing organizations today.

So why are such scams so successful? In June, GreatHorn conducted a survey of 300 business professionals – most of whom were involved in email security in some way – to understand the current email security involvement. We benchmarked threat frequency, prevalence, types, defenses, and remediation requirements to see what kind of patterns we could find.

As you see in this infographic, we found a number of clues that pointed to the root cause behind the success of social engineering scams such as business email compromise and other spear phishing techniques.

For example, we learned that the “average” user either doesn’t recognize email threats for what they are or they dismiss it under the rather innocuous heading of “spam.” We know this because two-thirds (66%) of average users could not recall seeing any of the following email threats in their inboxes:

  • Executive or internal impersonations
  • External impersonations (e.g. customers, vendors, partners)
  • Wire transfer requests
  • W2 requests
  • Payload / malware attacks
  • Business services spoofing (e.g. ADP, Docusign, UPS)
  • Credential theft

And yet when asked the same question (explicitly about what reaches inboxes, not a quarantine folder), 85% of respondents that had some involvement in email security indicated that one or more of those threats was hitting inboxes.

That discrepancy demonstrates a dangerous perception gap within organizations – the exact perception gap that criminals exploit. We’ve moved beyond the easy-to-spot Nigerian prince schemes of yesteryear. Sure, there are still mass phishing attacks that are easy-to-spot, but such attacks in some ways increase the danger precisely because they are so easy to see. The user quickly identifies them as a danger, dismisses them as obvious, and pats themselves on the back for being perceptive enough to see them.

That self-congratulatory complacency may lead to an inability to recognize the real threats – the highly targeted, sophisticated, and well planned attacks that uses social engineering and research to replicate, impersonate, and redirect “real” communication. Our research indicates that most existing email security solutions are failing to catch impersonations (nearly half of our respondents – 46% – report impersonations; including 64% of email security professionals). Such emails often come without obvious triggers such as an attachment or even a link – they use urgency (5pm on a Friday), conciseness (typically just a couple of sentences), seniority (often impersonating a superior), and fear to drive the desired outcome. That’s why it makes sense that impersonations are the email threat that email security pros worry most about.

More concerningly, our study indicates that 1 in 5 organizations have to take some kind of significant remediation action (e.g. suspending compromised accounts, PowerShell scripts, resetting compromised third-party accounts, etc.) on a weekly basis as a result of email threats that bypassed their security defenses. And on average, our panel deployed approximately three separate security tools to protect their environment from email threats.

Given the remediation requirements, it’s no wonder, however, that 56% reported major technical issues with their email security solution today, including:

  • “Doesn’t stop internal threats (e.g. if a user account is compromised)” – 35%
  • “Missing payload attacks” – 16%
  • “Missing payload-free attacks (e.g. impersonations, social engineering)” – 20%
  • “Weak or no remediation capabilities” – 19%
  • “Negative impact on business operations (e.g. too many false positives)” – 21%

We’ll dive more into the challenges with today’s common email security platforms and our results in upcoming blogs. In the meantime, however, we’d love to hear what you think. What do these numbers mean to you?

Want to download the full report? You can do so here.

Email Security Benchmark: First Take

Email Security Benchmark: First Take

Today we released a benchmark report analyzing email security trends based on data from nearly 300 respondents. We wanted to understand what organizations were facing in terms of threat prevalence, frequency, and severity. We asked questions about the effectiveness of existing security solutions and the importance of email security within the wider landscape of security initiatives.

We had some hypotheses going into it of course, but ultimately, we wanted to learn and let the data speak for itself. That’s why in the report itself, we presented the factual data without much commentary to allow you to draw your own conclusions, but naturally we have our own theories as to what the data indicates.

Take, for example, the discrepancy in the frequency and types of threats that email security professionals report versus what laypeople report. It would be easy to assign that discrepancy to the tired trope about users being “the problem” – that they just aren’t smart enough or careful enough to notice the threats.

But in fact what’s far more likely is that for many users, all unwanted mail is characterized as “spam.” They see the threats, recognize them as attacks, and dismiss them immediately by simply deleting them. This behavior may feel like safe behavior to the user because they’ve recognized and neutralized a potential threat quickly, but in fact, by not reporting such threats, they’re perpetuating the problem. A recent Verizon report indicates that just 17% of all phishing attempts are reported, and – of greater concern – one in 25 recipients will interact with any given phishing attack.

Over the coming weeks, we’ll explore different aspects of our report. Tell us what you think the report indicates – and stay tuned for more analysis!


How Confident Should You Be About Google Confidential Mode?

Google recently released a variety of security features to enhance, among other things, the user experience within Gmail (note that I use Gmail and not G Suite; this will become an important distinction). While many of these features were good steps for Google, one particular “security” feature has been met with heightened scrutiny from the security community. This feature is the ability to send “confidential” messages. Beyond the limitations and shortcomings of the confidential messaging features being discussed amongst concerned users, the feature has now caught the attention of the Department of Homeland Security.

Conceptually, the confidential messaging feature provides a method to send certain messages more securely within Gmail. End users can set expiration dates on messages, require SMS authentication before messages can be read, and messages are sent with the knowledge that the message cannot be printed or forwarded. Aside from the debate around how novel the methodology is, the means by which these messages are sent raises questions about how secure they truly are. Namely, how ripe are confidential messages for spoofing attempts?

Two scenarios come to mind. When a G Suite user sends a confidential message to another G Suite user, the recipient views the content directly in Gmail without needing to go to a secondary webpage. Under this scenario, the message never truly leaves the Google ecosystem (confidential messages always reside on Google servers). That said, nothing is preventing a confidential message from including malicious content such as a nefarious URL or attachment.

The second scenario deals with non-Gmail recipients, or Gmail users accessing mail in a client other than the Gmail client. Upon receiving a confidential message under one of these scenarios, the user is brought to a webpage where they are prompted to enter their Google credentials. The same condition holds true of the above regarding malicious content, but attackers can also seamlessly impersonate this workflow to steal credentials.

Under both scenarios, an attacker is exploiting user trust: not only is the user receiving a message in his or her inbox, but it is being sent “confidentially.” These types of tactics have been used for years as a way to engender trust between sender and recipient, but now Google has programmatically introduced a heightened level of trust seemingly without the means to prevent the feature from being exploited for nefarious purposes.

And as previously mentioned, the G Suite versus Gmail distinction is key: the confidential messaging feature is available and functions in the same fashion in both the free version as well as the paid G Suite platform. In other words, attackers can register Gmail accounts for free, set their display name to that of a business contact known to the recipient, and send these confidential messages as if they are the stated sender.

So how concerned should you be? From a professional perspective, the answer is, “it depends.” As a natural part of security awareness training, you are likely already emphasizing to your users that clicking on unexpected links is a bad practice. Unfortunately, training and real-world habits are often worlds apart.

If the notification of a confidential message is itself being spoofed, then your email security solution will treat it the same way that it treats other business service impersonation and credential theft attempts. When it comes to legitimate confidential messages being sent for potentially nefarious means, however, we open up a whole other can of worms. We recommend checking with your email security provider about this scenario in particular to understand how it addresses this scenario.

For our customers, they can rest assured knowing that GreatHorn is able to address both of the above scenarios. GreatHorn’s email security platform relies on anomaly detection based on deep relationship analytics and adaptive user / organizational profiling. Regardless of the intent, GreatHorn is still able to, among other things:

  • Gauge the relationship or lack thereof between senders and recipients;
  • Whether or not the specific address being used has been seen before; and
  • Scrutinize other key information about the sender

All of this is possible even when confidential messaging is being used.

In situations where Google’s confidential messaging is being impersonated, GreatHorn will analyze all of the above characteristics to gauge whether or not it is a legitimate confidential message as well as determine if the URL in the message is unusual or malicious.

Are you excited or concerned about Google’s new feature? Give us your view by commenting on the blog below.

FS-ISAC Cyberattack: Another Stark Reminder That Anyone Can Get Phished

FS-ISAC Cyberattack: Another Stark Reminder That Anyone Can Get Phished


Cybersecurity journalist Brian Krebs reported today that the Financial Services Information Sharing and Analysis Center (FS-ISAC), an industry forum for sharing data about critical cybersecurity threats facing the banking and finance industries, was the victim of a successful phishing attack.

An FS-ISAC employee “clicked on a phishing email compromising that employee’s login credentials.”  Using the credentials, a threat actor created an email with a PDF that had a link to a credential harvesting site and was then sent from the employee’s email account to select member affiliates and other employees.

While the incident was contained, it is a stark reminder that anyone – even cybersecurity professionals – can get phished.  In an interview with Krebs, FS-ISAC executives noted that the attack that tricked the employee into giving away email credentials wasn’t particularly sophisticated.

Although the organization regularly delivers security awareness training to staff members, this incident underscores many of the core beliefs we have at GreatHorn.

  • Security awareness training, while necessary, is not enough. It is unrealistic to rely on employees to correctly identify a phishing attempt 100% of the time.  In fact, a report from Forrester noted that among all tracked breaches (in 2015), the statistical difference between organizations who received training and those who didn’t was only 4%.
  • Automated security controls to protect against phishing, social engineering and other email-based threats should be a foundational layer of any security program.
  • New approaches to email security in the cloud are essential. Legacy email security gateway tools by design are not capable of protecting against phishing and other advanced threats targeting your employees’ inboxes.

To learn more about GreatHorn’s modern, cloud-native approach to email security for Office 365 and Google G Suite, listen to our most recent webinar: 4 Reasons Why It’s Time to Rethink Email Security.

Complimentary Gartner Market Guide for Secure Email Gateways