The common types of spear phish we see today

As 2015 draws near to a close, I thought I’d write a blog post about the type of spear phishes we are seeing lately against our customer base. This is not general brand phish like someone spoofing Paypal, but instead a phisher trying to impersonate your domain, for example, if the domain under attack is woodgrovebank.com, we’re assuming the name of the CEO is John Doe.

1. Spoofing your exact domain in the From: address

   From: John Doe <ceo@woodgrovebank.com>
   To: Jane Roe <cfo@woodgrovebank.com>

   These are the most insidious attacks because if you are using Exchange and Outlook, if the email address matches what is in the Global Address Book, Outlook will pull the picture of the person from Active Directory and display it in the message, fooling you even more that the spoofed sender is legitimate when it is not.
   This is an industry-wide problem and the official solution is for domains to publish SPF, DKIM, and DMARC records if you want to do it yourself. If you can’t, then Exchange Online Protection (EOP) is rolling out its antispoofing solution that works automatically in the absence of SPF, DKIM, and DMARC. This is not something you turn on, we are going to enable it for everybody automatically so your domain is protected from Day 1.

2. Lookalike spoofing
   From: John Doe <ceo@woodgrövebank.com>
   To: Jane Roe <cfo@woodgrovebank.com>

   We have seen an increase in these lately, perhaps 1/10 of all spear phishes. The domain being spoofed is not actually the domain but instead contains a non-Roman alphabet character (or two, or three) in it. As a result, at a glance, it looks like the normal domain but in reality it is not.

   Phishers use this technique to get around SPF, DKIM, and DMARC because they know that the spoofed domain can’t possibly pre-register every single domain that looks like theirs. However, the drawback for phishers is that if the recipient hits reply, unless the phisher has the domain registered with an MX pointing somewhere, the message will go no where. In addition, since the sending domain and email address will not be in the Global Address Book if using Exchange + Outlook, the picture of the person won’t show up; that’s a level of deception that the phisher loses by using this technique.

   We’re aware of this problem in EOP and we our working on it. When we release protection for it, it will be wrapped into our existing antispoofing solution above.

3. ‘Display From’ attacks

   From: John Doe <john.doe@freemailprovider.com>
   To: Jane Roe <cfo@woodgrovebank.com>

   Here, the phisher sends a message to the CFO using his free web mail account, e.g., Gmail, Yahoo, or Outlook.com. The CFO is supposed to interpret this as the CEO not being able to get to his work account and instead sends a message from his mobile device.

   Attacks like these are effective in the sense that it’s possible to create accounts like this fairly easily by scraping around the Internet, looking for LinkedIn profiles, and creating reasonably legitimate-looking accounts at a free web mail provider. The message will also pass SPF, DKIM, and DMARC and will be sent from an IP with good reputation. Using regular language and email accounts may fool some users into thinking it is the real thing.

   The drawback is similar to #2; the Global Address Book will not pull the CEO’s picture and display it in Outlook/Exchange if using those two pieces of software. Also, the full email address will probably be displayed to the end user as it is unlikely to be in the person’s address book.

   As above, we’re aware of this problem. Any solution will go into our existing antispoofing solution above.

   In the interim, what some of our customers have done is create Exchange Transport Rules (ETRs) that say “If the message comes from ‘John Doe’ in the message header (or as a sender property), set the SCL to 9 (or delete the message, or send to quarantine) except of the message header ‘Authentication-Results’ contains the text ‘dmarc=pass action=none header.from=woodgrovebank.com’.

   That is not the only way to do it, of course, and you have to set up a DMARC record; alternatively, you could set up an SPF record and look for the results in that header, too. Anyhow, the idea here is that if John Doe sends to your organization, the message will be marked as spam unless it comes from your own domain. That will stop all Display From spoofs. The drawback is that all of the other John Doe’s in the world will also not be allowed to send email into your organization.

Those are the big three types of phishing attacks were are seeing beyond the regular phishing attacks that have been around for years. As you can see, some of them are addressed by sender authentication, but others are a result of phishers being forced to move to other attacks in response to stronger auth.