Bytesize security: Impersonation tactics fail to fool Darktrace AI
23
Oct 2022
23
Oct 2022
In this blog, a Darktace analyst explores common email impersonation techniques seen by the SOC team and explains how DETECT/Email is able to identify them.
Two of the most popular ways threat actors send malicious emails is through the use of spoofing and impersonation tactics. While spoofed emails are sent on behalf of a trusted domain and obscure the true source of the sender, impersonation emails come from a fake domain, but one that may be visually confused for an authentic one. In order to identify impersonation tactics in a suspicious email, we should first ask why an attacker might utilize an impersonation approach over spoofing.
In contrast to domain spoofing, which lacks validation and can be readily detected by email security gateway softwares, impersonation with a lookalike domain allows attackers to send emails with full SPF and DKIM validation, making them appear legitimate to many security gateways. This blog will explore impersonation tactics and how Darktrace/Email protects against them.
There are two distinct ways to leverage impersonation tactics:
1. Impersonating the domain
2. Impersonating a real user from that domain
Domain impersonation is often implemented with the use of ‘confusable characters’. This involves misspelling through the use of character substitutions which make the domain look as visually similar to the original as possible (eg. m rn, o 0, l I). Threat actors can then also impersonate a real user by adding the the personal field of that user’s email to the new, malicious domain. Comparing impersonation emails with legitimate emails highlights how similar these malicious email addresses are to the real thing (Figure 1).
Figure 1- Email log that highlights the impersonated emails from “Mike Lewis” from the domain “smartercornmerce[.]net”. Along with the impersonated domain, the attackers attempt to impersonate the known user, “Mike Lewis” as well. The use of both distinct types of impersonation categorize the email as what Darktrace/Email refers to as a Double Impersonation email.
Figure 2- Email Summary details of one of the malicious double impersonation emails that was sent by the impersonated sender, “Mike Lewis” from “smartercornmerce[.]net”, that highlights the various anomaly indicators that Darktrace/Email detected, as well the various tags and actions it applied.
Darktrace/Email uses AI which analyses impersonation emails by comparing the ‘From’ header domains of emails against known external domains and generates a percentage score for how likely the domain is to be an imitation of the known domain (Figure 3).
Figure 3- Darktrace compares the external sender, “mike.lewis@smartercornmerce[.]net”, with similar external names and domains that have been observed in different inbound emails on the network.
Impersonation emails are also detected via spoof score metrics such as Domain External Spoof Score and Domain Internal Spoof Score (Figure 4).
Figure 4- Darktrace AI analyzed the malicious double impersonation email from Figure 2 and generated a high Domain External Spoof Score (100) and Spoof Score External (94)
Double Impersonation emails such as the one highlighted in Figure 2 are utilized by threat actors to gain the trust of the recipient and convince them to access malicious payloads such as phishing links and attachments. For example, the malicious double impersonation email from Figure 2 contained a suspicious hidden link to a Wordpress site which could have redirected the user to a phishing endpoint and tricked them into divulging sensitive information (Figure 5). The endpoint itself appears to lead unsuspecting recipients to a false share link posing as a payment-themed Excel file.
Figure 5- Details of the Wordpress link embedded in the suspicious email, which was hidden beneath display text to convince a user to click it without knowledge of where it would lead. The domain has a 100% rarity according to Darktrace AI.
Figure 6- Wordpress webpage that highlights another link for the user to click in order to be redirected to the invoice statement in a Microsoft Excel document.
Various indicators highlighted the webpage as suspicious and potentially malicious. Firstly, the use of ‘SmarterCORNmerce’ in the link to the webpage was at odds with the use of SmarterCOMMERCE throughout the page itself. The link also showed the invoice statement to be an Microsoft Excel file, despite the email suggesting it was a PDF document. Further investigation revealed the link to be associated with a Fleek hosting service and CDN (Figure 7), and that it redirected users to a fake Microsoft page.
Figure 7 - Source code from the Wordpress webpage shows that the fake Microsoft link redirects users to a Fleek hosted page. This page may contain additional javascript content to download malware onto the user’s device.
As well as the domain spoof score metrics highlighted in Figure 4, Darktrace/Email analyses the suspicious payloads embedded in emails and generates scores to indicate the likelihood that a payload may be a phishing attempt.
Figure 8- Additional metrics for the double impersonation email that highlight the high phishing inducement score (96) for the email.
As the DETECT functionality of Darktrace/Email generates high scores metrics such as Domain External Spoof Score and Phishing Inducement, the RESPOND function will fire complementary models which then trigger relevant actions on the various payloads embedded in these emails and even the delivery of the emails themselves. As the impersonation email highlighted in Figure 2 impersonated not only the trusted domain but the known and trusted sender, Darktrace AI triggers the Double Impersonation model. Additional spoofing models such as ‘Basic Known Entity Similarities + Suspicious Content’ and ‘External Domain Similarities + Maximum Similarity’ were also triggered, indicating the high possibility that the suspicious email is a domain and user impersonation email sent by a malicious attacker.
Figure 9- The Email console highlights the different models the email triggered, including the Basic Known Entity Similarities + Suspicious Content and External Domain Similarities + Maximum Similarity model breaches and the various models that triggered significant actions in response to the potentially malicious impersonation email.
When Darktrace/Email detects a malicious double impersonation email, it responds by triggering a Hold action, preventing the email from appearing in the recipient’s inbox. Darktrace/Email’s RESPOND functionality could also take action against the suspicious link payloads embedded in the email with a Double Lock Link action. This will prevent users from attempting to click on malicious phishing links. Such actions highlight how Darktrace/Email excels in using AI to detect and take action against potentially malicious impersonation emails that may be prevalent in any user’s inbox.
Though impersonation is becoming increasingly targeted and efficient, Darktrace/Email has both detection and response capabilities that can ensure customers have secure coverage for their email environments.
Thanks to Ben Atkins for his contributions to this blog.
Like this and want more?
Receive the latest blog in your inbox
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
NEWSLETTER
Like this and want more?
Stay up to date on the latest industry news and insights.
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
Darktrace cyber analysts are world-class experts in threat intelligence, threat hunting and incident response, and provide 24/7 SOC support to thousands of Darktrace customers around the globe. Inside the SOC is exclusively authored by these experts, providing analysis of cyber incidents and threat trends, based on real-world experience in the field.
How Empowering End Users can Improve Your Email Security and Decrease the Burden on the SOC
08
May 2024
Why do we pay attention to the end user?
Every email security solution filters inbound mail, then typically hands over false positives and false negatives to the security team for manual triage. A crucial problem with this lifecycle is that it ignores the inevitability of end users being at the front line of any organization. Employees may receive point in time security awareness training, but it is rarely engaging or contextualized to their reality. While an employee may report a suspicious-looking email to the security team, they will rarely get to understand the outcome or impact of that decision. This means that the quality of reporting never improves, so the burden on the security team of triaging these emails – of which 90% are falsely reported – persists and grows with the business over time.
At Darktrace, we recognize that employees will always be on the front line of email security. That’s why we aim to improve end-user reporting from the ground up, reducing the overall number of emails needing triage and saving security team resource.
How does Darktrace improve the quality of end-user reporting?
Darktrace prioritizes improving users’ security awareness to increase the quality of end-user reporting from day one. We train users and optimize their experience, which in turn provides better detection.
That starts with training and security awareness. Traditionally, organizations oblige employees to attend point-in-time training sessions which interrupt their daily work schedules. With Darktrace/Email, if a message contains some potentially suspicious markers but is most likely safe, Darktrace takes a specific action to neutralize the risky components and presents it to the user with a simple narrative explaining why certain elements have been held back. The user can then decide whether to report this email to the security team.
Figure 1: AI shares its analysis in context and in real time at the moment a user is questioning an email
The AI narrative gives the user context for why their specific email may carry risk, putting their security awareness training into practice. This creates an element of trust with the security solution, rather than viewing it as outside of daily workflows. Users may also receive a daily or weekly digest of their held emails and make a decision on whether to release or report them.
Whatever the user’s existing workflow is for reporting emails, Darktrace/Email can integrate with it and improve its quality. Our add-in for Outlook gives users a fully optimized experience, allowing them to engage with the narratives for each email, as well as non-productive mail management. However, if teams want to integrate Darktrace into an existing workflow, it can analyze emails reported to an internal SOC mailbox, the native email provider’s 'Report Phish’ button, or the ‘Knowbe4’ button.
By empowering the user with contextual feedback on each unique email, we foster employee engagement and elevate both reporting quality and security awareness. In fact, 60% fewer benign emails are reported because of the extra context supplied by Darktrace to end users. The eventual report is then fed back to the detection algorithm, improving future decision-making.
Reducing the amount of emails that reach the SOC
Out of the higher-quality emails that do end up being reported by users, the next step is to reduce the amount of emails that reach the SOC.
Once a user reports an email, Darktrace will independently determine if the mail should be automatically remediated based on second level triage. Darktrace/Email’s Mailbox Security Assistant automates secondary triage by combining additional behavioral signals and the most advanced link analysis engine we have ever built. It detects 70% more sophisticated malicious phishing links by looking at an additional twenty times more context than at the primary analysis stage, revealing the hidden intent within interactive and dynamic webpages. This directly alleviates the burden of manual triage for security analysts.
Following this secondary triage the emails that are deemed worthy of security team attention are then passed over, resulting in a lower quantity and higher quality of emails for SOC manual triage.
Centralizing and speeding analysis for investigations
For those emails that are received by the SOC, Darktrace also helps to improve triage time for manual remediation.
AI-generated narratives and automated remediation actions empower teams to fast-track manual triage and remediation, while still providing security analysts with the necessary depth. With live inbox view, security teams gain access to a centralized platform that combines intuitive search capabilities, Cyber AI Analyst reports, and mobile application access. With all security workflows consolidated within a unified interface, users can analyze and take remediation actions without the need to navigate multiple tools, such as e-discovery platforms – eliminating console hopping and accelerating incident response.
Our customers tell us that our AI allows them to go in-depth quickly for investigations, versus other solutions that only provide a high-level view.
Figure 2: Cyber AI Analyst provides a simple language narrative for each reported email, allowing teams to quickly understand why it may be suspicious
Conclusion
Unlike our competitors, we believe that improving the quality of users’ experience is not only a nice-to-have, but a fundamental means for improving security. Any modern solution should consider end users as a key source of information as well as an opportunity for defense. Darktrace does both – optimizing the user experience as well as our AI learning from the user to augment detection.
The benefits of empowering users are ultimately felt by the security team, who benefit from improved detection, a reduction in manual triage of benign emails, and faster investigation workflows.
Augmented end user reporting is just one of a range of features new to Darktrace/Email. Check out the latest Innovations to Darktrace/Email in our recent blog.
Detecting Attacks Across Email, SaaS, and Network Environments with Darktrace’s AI Platform Approach
30
Apr 2024
The State of AI in Cybersecurity
In a recent survey outlined in Darktrace’s State of AI Cyber Security whitepaper, 95% of cyber security professionals agree that AI-powered security solutions will improve their organization’s detection of cyber-threats [1]. Crucially, a combination of multiple AI methods is the most effective to improve cybersecurity; improving threat detection, accelerating threat investigation and response, and providing visibility across an organization’s digital environment.
In March 2024, Darktrace’s AI-led security platform was able to detect suspicious activity affecting a customer’s email, Software-as-a-Service (SaaS), and network environments, whilst its applied supervised learning capability, Cyber AI Analyst, autonomously correlated and connected all of these events together in one single incident, explained concisely using natural language processing.
Attack Overview
Following an initial email attack vector, an attacker logged into a compromised SaaS user account from the Netherlands, changed inbox rules, and leveraged the account to send thousands of phishing emails to internal and external users. Internal users fell victim to the emails by clicking on contained suspicious links that redirected them to newly registered suspicious domains hosted on same IP address as the hijacked SaaS account login. This activity triggered multiple alerts in Darktrace DETECT™ on both the network and SaaS side, all of which were correlated into one Cyber AI Analyst incident.
In this instance, Darktrace RESPOND™ was not active on any of the customer’s environments, meaning the compromise was able to escalate until their security team acted on the alerts raised by DETECT. Had RESPOND been enabled at the time of the attack, it would have been able to apply swift actions to contain the attack by blocking connections to suspicious endpoints on the network side and disabling users deviating from their normal behavior on the customer’s SaaS environment.
Nevertheless, thanks to DETECT and Cyber AI Analyst, Darktrace was able to provide comprehensive visibility across the customer’s three digital estate environments, decreasing both investigation and response time which enabled them to quickly enact remediation during the attack. This highlights the crucial role that Darktrace’s combined AI approach can play in anomaly detection cyber defense
Attack Details & Darktrace Coverage
1. Email: the initial attack vector
The initial attack vector was likely email, as on March 18, 2024, Darktrace observed a user device making several connections to the email provider “zixmail[.]net”, shortly before it connected to the first suspicious domain. Darktrace/Email identified multiple unusual inbound emails from an unknown sender that contained a suspicious link. Darktrace recognized these emails as potentially malicious and locked the link, ensuring that recipients could not directly click it.
Figure 1: Suspected initial compromise email from an unknown sender, containing a suspicious link, which was locked by Darktrace/Email.
2. Escalation to Network
Later that day, despite Darktrace/Email having locked the link in the suspicious email, the user proceeded to click on it and was directed to a suspicious external location, namely “rz8js7sjbef[.]latovafineart[.]life”, which triggered the Darktrace/Network DETECT model “Suspicious Domain”. Darktrace/Email was able to identify that this domain had only been registered 4 days before this activity and was hosted on an IP address based in the Netherlands, 193.222.96[.]9.
3. SaaS Account Hijack
Just one minute later, Darktrace/Apps observed the user’s Microsoft 365 account logging into the network from the same IP address. Darktrace understood that this represented unusual SaaS activity for this user, who had only previously logged into the customer’s SaaS environment from the US, triggering the “Unusual External Source for SaaS Credential Use” model.
4. SaaS Account Updates
A day later, Darktrace identified an unusual administrative change on the user’s Microsoft 365 account. After logging into the account, the threat actor was observed setting up a new multi-factor authentication (MFA) method on Microsoft Authenticator, namely requiring a 6-digit code to authenticate. Darktrace understood that this authentication method was different to the methods previously used on this account; this, coupled with the unusual login location, triggered the “Unusual Login and Account Update” DETECT model.
5. Obfuscation Email Rule
On March 20, Darktrace detected the threat actor creating a new email rule, named “…”, on the affected account. Attackers are typically known to use ambiguous or obscure names when creating new email rules in order to evade the detection of security teams and endpoints users.
This rule was seemingly created with the intention of obfuscating the sending of malicious emails, as the rule would move sent emails to the "RSS Feeds” folder, a commonly used tactic by attackers as the folder is often left unchecked by endpoint users. Interestingly, Darktrace identified that, despite the initial unusual login coming from the Netherlands, the email rule was created from a different destination IP, indicating that the attacker was using a Virtual Private Network (VPN) after gaining a foothold in the network.
Figure 2: Hijacked SaaS account making an anomalous login from the unusual Netherlands-based IP, before creating a new email rule.
6. Outbound Phishing Emails Sent
Later that day, the attacker was observed using the compromised customer account to send out numerous phishing emails to both internal and external recipients. Darktrace/Email detected a significant spike in inbound emails on the compromised account, with the account receiving bounce back emails or replies in response to the phishing emails. Darktrace further identified that the phishing emails contained a malicious DocSend link hidden behind the text “Click Here”, falsely claiming to be a link to the presentation platform Prezi.
Figure 3: Darktrace/Email detected that the DocSend link displayed via text “Click Here”, was embedded in a Prezi link.
7. Suspicious Domains and Redirects
After the phishing emails were sent, multiple other internal users accessed the DocSend link, which directed them to another suspicious domain, “thecalebgroup[.]top”, which had been registered on the same day and was hosted on the aforementioned Netherlands-based IP, 193.222.96[.]91. At the time of the attack, this domain had not been reported by any open-source intelligence (OSINT), but it has since been flagged as malicious by multiple vendors [2].
Figure 4: External Sites Summary showing the suspicious domain that had never previously been seen on the network. A total of 11 “Suspicious Domain” models were triggered in response to this activity.
8. Cyber AI Analyst’s Investigation
As this attack was unfolding, Darktrace’s Cyber AI Analyst was able to autonomously investigate the events, correlating them into one wider incident and continually adding a total of 14 new events to the incident as more users fell victim to the phishing links.
Cyber AI Analyst successfully weaved together the initial suspicious domain accessed in the initial email attack vector (Figure 5), the hijack of the SaaS account from the Netherlands IP (Figure 6), and the connection to the suspicious redirect link (Figure 7). Cyber AI Analyst was also able to uncover other related activity that took place at the time, including a potential attempt to exfiltrate data out of the customer’s network.
By autonomously analyzing the thousands of connections taking place on a network at any given time, Darktrace’s Cyber AI Analyst is able to detect seemingly separate anomalous events and link them together in one incident. This not only provides organizations with full visibility over potential compromises on their networks, but also saves their security teams precious time ensuring they can quickly scope out the ongoing incident and begin remediation.
Figure 5: Cyber AI Analyst correlated the attack’s sequence, starting with the initial suspicious domain accessed in the initial email attack vector.
Figure 6: As the attack progressed, Cyber AI Analyst correlated and appended additional events to the same incident, including the SaaS account hijack from the Netherlands-based IP.
Figure 7: Cyber AI Analyst correlated and appended additional events to the same incident, including additional users connecting to the suspicious redirect link following the outbound phishing emails being sent.
Conclusion
In this scenario, Darktrace demonstrated its ability to detect and correlate suspicious activities across three critical areas of a customer’s digital environment: email, SaaS, and network.
It is essential that cyber defenders not only adopt AI but use a combination of AI technology capable of learning and understanding the context of an organization’s entire digital infrastructure. Darktrace’s anomaly-based approach to threat detection allows it to identify subtle deviations from the expected behavior in network devices and SaaS users, indicating potential compromise. Meanwhile, Cyber AI Analyst dynamically correlates related events during an ongoing attack, providing organizations and their security teams with the information needed to respond and remediate effectively.
Credit to Zoe Tilsiter, Analyst Consulting Lead (EMEA), Brianna Leddy, Director of Analysis
