The use of mobile messaging apps and social media has drastically increased in popularity over the past decade, completely reshaping the way we communicate in our personal lives. But despite this trend, when it comes to workplace, email remains the preferred method of communication. There is no doubt that the way email is being used will continue to evolve along with the people that use it1: from initiating password resets to tracking package delivery status, it will extend our connection to the brands and services we associate with. As these changes occur, cyber criminals will also adapt their techniques to the changing landscape.
Email-borne threats change and materialize every minute, from sophisticated ransomware attacks to advanced Impersonation tactics such as BEC (Business Email Compromise), to CEO fraud and targeted phishing campaigns.
Cyber criminals today continue to find creative ways to entice email recipients to open these increasingly malicious messages, which can expose them to content that has the potential to cause significant financial and/or data loss.
According to our recent Email Threat Report, impersonation attacks, CEO fraud and business email compromise (BEC), showed a steady increase in Q1 2019 and are projected to rise through Q2 2019. Cyber criminals impersonate executives, senior managers and supply chain partners to dupe employees into taking action by authorizing fraudulent wire transfers or providing confidential information. Impersonation attacks can cost companies billions of dollars as well as severely damage their reputation.
Figure 1: Impersonation attack attempts trend upward
in Q1 2019.
As impersonation attacks increase, the report also showed phishing
attacks were up 17% in the first quarter of 2019 compared to Q4 2018.
Figure 2: Most common brands2 detected in phishing attacks, Q1 2019.
The prevalence of Microsoft Office 365 has led bad actors to target
Office 365, along with OneDrive which part of the Microsoft Office
suite. Often the intent is to harvest corporate credentials with the
intention of account takeovers.
If a corporate end-user account is taken over, it is often used for
malicious activities originating from a legitimate, trusted email
address for purposes such as:
- Distributing malware internally
- Spear phishing
accounts with elevated privileges
- Executive business email
- Targeting customers and partners
- Reconnaissance of the environment
- Access to VPNs or
other cloud services to further infiltrate the corporation
For the unwitting user, a phishing email may often look like a
legitimate message from an established company support team asking to
reconfirm their account details. Attackers spoof everything, from
sender email addresses to brand look and feel to dupe recipients into
providing passwords and other confidential information. Office 365,
Dropbox, Slack and other SaaS services are popular targets for
hackers, and once access to an account is obtained, they can easily
root themselves into the network to expand their access within the organization.
The following illustrates a common phishing attack:
Figure 3: Example email-based attack with Office 365 branding.
Figure 4: FireEye Email Security URL screenshot of
Microsoft Office 365 landing page.
Tactics used and importance of having visibility
IT professionals know how critical an effective email security is
and phishing is the most potent tool attackers have in their toolbox.
Malicious URLs embedded within text can be difficult for most email
security solutions to detect, and URLs can be weaponized after passing
as clean to further avoid detection. For example, during business
hours the URL within an email is weaponized and is linked to a
phishing webpage, but during off hours the link leads to a blank HTML webpage.
FireEye’s Email Security - Server Edition, which integrates various
signature, analytics, and machine learning plugins to detect URL-based
email phishing attacks, features the ability for IT admins to visually
inspect webpages embedded URLs lead to instantly and at all times.
FireEye PhishVision uses deep learning and compiles and compares
screenshots of trusted and commonly targeted brands against web and
login pages referenced by URLs contained within an email. Using this
methodology allows FireEye to successfully identify phishing attacks,
and also provide some targeted brand identity awareness.
Figure 5: Office Web Access Login URL.
Figure 6: Example OneDrive Phishing URL.
The URL screenshots function illustrates at a glance what the
malicious phishing URLs looked like to the recipient. This is useful
in providing the analyst an overview of how convincing a URL landing
page would have been to enter credentials, as well as for reporting
purposes and user awareness training.
Having the ability to analyze credential harvesting threats helps IT
teams mitigate risks. This insight also helps with the adaptive
response measures to correlate with other internal technologies and
validate if there was any impact to the organization. By reducing
detection and response latencies, defenders limit damage and
ultimately, prevent future threats.
Figure 7: Overview of grouped alerts for admins to
At a glance you are rapidly able to drill down into any prioritized
alerts, such as retroactive detections, or sort by specific threat
types. For example, many analysts want to review any retroactive alert
detections or not seen before threats as highlighted in Figure 7.
FireEye provides complete alert prioritization to help IT admins
understand the severity of alerts, along with the intelligence about
the tactics, techniques, procedures, and in-depth forensic analysis,
such as the endpoint and network behavior along with the overall
Using this information, FireEye can automate responses and
automatically quarantine emails identified retroactively, such as
spear phishing URLs weaponized after email delivery. From alert to
fix, the average time for FireEye to identify an alert is
approximately 4 minutes, versus over 2 hours by other solutions3. The accelerated
response will not only increase security operations efficiency, but
also reduce the impact of security incidents to the organization.
The use of email is changing and the adaptive tactics of cyber
criminals pose a great threat to organizations. It’s imperative that
IT managers provide maximum email security in order to reduce a
breach. Here are a few points to consider:
- Implement multi-factor authentication. This stops many
attackers, even if they have successfully phished credentials, as it
introduces a secondary authorization control
- Run regular
user awareness training sessions. Reference real-world threats that
you have blocked
- Deploy advanced secure email gateway
technologies such as FireEye Email Security Cloud or Server Editions
– Take a tour of our Secure Email Gateway
- Enhance visibility into your login sources such as on-premise
Active Directory or Office 365 to detect unauthorized activity. Take a tour of our Cloud-hosted security
operations platform – FireEye Helix.
 Why Email Remains The Top
Enterprise Collaboration Tool, by David Roe – CMS Wire.
 Generic and spam phishing
emails do not feature a brand.
 FireEye White Paper – The Uncomfortable Cyber Security Tradeoff: The Total
Cost Of Handling Too Many Alerts Versus Managing Risk