Deep dive into Phishing
By Niko Permilovsky
We are all familiar with the Outlook warning that “this email was sent outside of your organization” or the hassle of having to contact your IT department to have them release an invoice you have been waiting for.
Let us talk about why these measures are in place in the first place, and why they are our current best solution against cybercrime.
Human error is the biggest gap in security
According to the 2024 report by Mimecast, 74% of cybersecurity breaches are caused by human error. This is due to technology improving exponentially while we are not – the weakest chain in the link is our carelessness. It may be that we think it will never happen to us, we are tired or stressed under a deadline.
This is why the topic of email phishing, impersonation, spoofing and so forth have been becoming increasingly prevalent. It is an effort to educate us on keeping our data safe.
There comes another issue with cyber security measures. The more measures there are, the more restrictive businesses operations become. Employees then become frustrated with their workflow. They then start to cut corners to improve efficiency, which leads us to the first problem.
This is where education comes in; it allows you to develop instincts and judgement so you can make informative decisions in the moment.
The #1 best rule that we follow is that if there is even a little bit of suspicion, it is important to investigate.
Anatomy of a malicious email
Below is a screenshot of an email caught by the defenses that we implemented in one of our customers. Data is redacted for privacy.
This email was tailored for this company. The email signature matches an actual signature (from an out of office email). The section on the bottom makes it seem like a reply to a legitimate email. The logo was taken from the site.
To the unsuspecting or uneducated eye, this email is convincing.
The email message is also enticing; it lowers your guards and encourages you to check out the link.
The subject is “Timesheet Due Today,” playing into your element of stress and creates a sense of urgency, further lowering your guard.
Lastly, the link. It has the familiar “loginmicrosoftonline.” It is not clickable like a regular link. The attacker asks you to copy and paste it into the browser. This is because it is text styled as a link, with extra invisible letters within it to avoid automatic detection. We will soon release a guide on demystifying URLs.
This is what the actual link looks like with all the styling removed:
To summarize the tactics used by this email; it targets a company to mimic legitimacy and familiarity, it creates a sense of urgency and excitement and then uses tricks to hide malicious links. It relies on trust and heuristics.
This is why it is important to hide internal emails and addresses, use a streamlined formatting style and investigate when suspicions arise.
