Blog
Darktrace email finds: IT impersonation attack


Type of attack: Payload delivery; Impersonation
Organization: Charity, US
Time and date: 2020-06-11 07:05 UTC
Mailboxes: <5000
Cyber-criminals often profit from a climate of uncertainty and fear, as it can make people act in haste and ignore warning signs. COVID-19 has created an environment perfect for scammers looking to exploit human error. Spoofing IT departments’ emails is a popular method of social engineering in email attacks. It relies on employees’ tendency to follow orders from authority figures with little or no hesitation. This is further compounded by the increase in work from home and greater reliance on remote interaction with IT support.

Sender information
The attacker had disguised the address field to resemble the organization’s IT department.
Apparent motive
The emails contained a link which Darktrace’s AI identified as an 100% rare domain, indicating no devices across the organization had ever previously accessed it. The links also contained the recipients’ email addresses, suggesting that it led to a fake login page intending to trick an employee into inputting sensitive data.

Figure 2: The anomalous link in question
Antigena Email’s actions
Delivery action: Hold message
Antigena Email took its strongest action on this incoming email campaign, preventing the emails from reaching any recipients.
Why did this attack bypass other email security solutions?
Spoofing involves fixing some visual aspect of the email headers. Attackers use this technique to make an email appear as if it came from someone recognizable, such as an IT department or company executive. In this case it was enough to fool the existing security solutions, and could have fooled a recipient into clicking the link and entering their credentials had Antigena Email not been installed.