How Scammers Are Bypassing Your Email Security Measures

A Macbook loading Gmail on Safari

Written by: Jay H.

Phishing campaigns are regular occurrences; in fact, 1 in every 99 emails sent is a phishing attack. Although there are security measures to block these scam attempts, scammers employ methods to bypass these defences. Security defence organization Armorblox found several examples of emails that made it into users’ inboxes and provided tips to defend against these attacks.

Facebook Phishing Attack

Facebook impersonation phishing email

Image: Armorblox

In this phishing campaign, attackers impersonating Facebook sent users an email claiming they had limited the victim’s account due to a security issue. With an email title “Reminder: Account Verification”, sender name “Facebook”, and sender domain “[email protected]”, the scammers instructed the recipient to click the link and log into their account.

Should the recipient follow the link, they would find a phishing site masquerading as a genuine Facebook login portal. Those with keen eyes would notice that the page’s parent domain is “sliderdoyle[.]com”, which should give away that page is not legitimate. However, unsuspecting users may fall victim without thinking to check the URL. Scammers would then harvest any credentials entered by the victims.

Scammers used various techniques to make this campaign effective. These included social engineering, brand impersonation, compromising existing email workflows, domain spoofing, and sender name spoofing.

This email bypassed both Cisco ESA and Microsoft’s Exchange Online Protection. Alarmingly, Microsft assigned this email a Spam Confidence Level of -1, highlighting that the email skipped the spam filters.

Microsoft Phishing Campaign

Email impersonating Microsoft informing victims that a few of their account subscriptions were close to expiry

Image: Armorblox

Another phishing campaign observed by Armorblox impersonated Microsoft. Using the title “Your subscription has expired” with the sender name “Microsoft” and domain name “[email protected]”, the recipient may believe this is a legitimate email at a glance. However, the “reply-to” address differed from the “from” address, common in scam attacks.

This email told victims that their active subscriptions were expiring soon and prompted them to log into the admin centre to renew their subscriptions. Clicking the link takes users to a phishing page representing the Microsoft login portal. However, scammers steal any credentials entered by the victims.

The parent domain of the phishing page is “support-outlooks[.]ddns[.]net”, which shows that the attackers used a free dynamic DNS service to set up the phishing site. Moreover, the typo in the URL (outlooks instead of outlook) and the length of the URL should signify to users that the site is not legitimate. However, the resemblance to the Microsoft login portal means many users will doubtlessly enter their account details.

The attackers used several tactics to trick unsuspecting victims into handing over their credentials. These techniques include social engineering, brand impersonation, compromising existing email workflows, sender name spoofing, and different reply-to and from addresses.

Like the Facebook phishing campaign, this email also bypassed both Cisco ESA and Microsoft’s Exchange Online Protection. Moreover, this email received a Spam Confidence Level of -1 from Microsoft.

Apple Phishing Attack

Email impersonating Apple informing victims that their Apple ID had been locked

Image: Amorblox

The Armorblox team also witnessed an email campaign impersonating Apple. The email was titled “Re: Your Apple ID has been locked on March 11, 2021 PST,” followed by a reference number. Notably, the sender’s name was “Appie ID”. Although this may appear to be a typo, it is a deliberate tactic to bypass security techniques while still appearing legitimate to unsuspecting users.

The email claimed that Apple had locked the victim’s Apple ID for security reasons. To create a sense of urgency, attackers insinuated victims had only 12 hours to verify their accounts before their Apple ID would be suspended.

However, this campaign was less sophisticated than the other two, and the phishing page was promptly removed. The defunct page resembled the Apple login portal and attempted to steal victims’ Apple credentials.

The attackers used an e-commerce email marketing and SMS platform called Omnisend to set up the phishing page. This is a common trend observed by Armorblox, where attackers use free online services to increase the success rate of their email attacks.

Attackers used various techniques in this attack, including social engineering, brand impersonation, compromising existing email workflows, sender name spoofing, and leveraging free services to set up a phishing site.

Fortunately, Microsoft assigned this email a Spam Confidence Level of 5 and diverted it into the victims’ junk folders.

Lessons Learned

Scammers employed numerous techniques in an attempt to bypass both security filters and unsuspecting victims. To protect yourself and your organization from these types of email attacks, Armorblox provided several tips:

1. Augment native email security with additional controls

Two emails highlighted in this blog got past Microsoft’s EOP with an assigned Spam Confidence Level (SCL) of -1. This means the emails skipped past spam filters. For better protection coverage against email attacks (whether they’re phishing, business email compromise, or 0-day credential phishing attacks like this one), organizations should invest in technologies that take a materially different approach to threat detection.

2. Watch out for social engineering cues

Since we get so many emails from service providers, our brains have been trained to execute on their requested actions quickly. Engage with these emails rationally and methodically whenever possible. Subject the email to an eye test that includes inspecting the sender name, sender email address, language within the email, and any logical inconsistencies within the email (e.g. Why is the email sender name ‘Appie ID’ instead of ‘Apple ID’, why is Facebook sending this email to my work account, etc.).

3. Follow 2FA and password management best practices

Since all workplace accounts are closely interlinked, sharing credentials to one of your accounts can prove to be very dangerous. Cybercriminals send emails in your name to trick your customers, partners, acquaintances, and family members.

If you haven’t already, implement these hygiene best practices:

Protected by Copyscape

Comments are closed.