Phishing attacks are one of the most popular strategies employed by cybercriminals to snag user credentials. A successful phishing email that obtains the right username and password can gain access to an entire network. And the more believable the phishing message, the greater the odds of it succeeding. In a report published Tuesday, security firm Armorblox looks at a new and crafty phishing campaign and offers tips on how to protect yourself from these types of attacks.
SEE: Social engineering: A cheat sheet for business professionals (free PDF) (TechRepublic)
A recent campaign that targeted a host of Armorblox customers spoofed an encrypted message notification from Zix, a company that itself provides email encryption and email data loss prevention services. Hitting users of Microsoft 365, Microsoft Exchange and Google Workspace, the phishing emails wound up in around 75,000 mailboxes.
Using a title of “Secure Zix message,” the email claimed that the recipient had received a secure message from Zix. To review the alleged message, the user was invited to click on the Message button in the email before a certain expiration date. Doing so attempted to install an HTML file named “securemessage.” On the plus side, opening the downloaded HTML file triggered most website blockers to step in to block the page.
Compared with an actual template for a Zix secure message, the email wasn’t an exact duplicate but was close enough to trick an unsuspecting victim, according to Armorblox. The domain used by the sender was “thefullgospelbaptist.com,” a religious organization set up in 1994. Though this URL is no longer active, the attackers may have exploited an older version of the domain to send the phishing emails, Armorblox said. The email itself got through all the standard authentication checks, including SPF, DKIM and DMARC.
Though the final HTML file in the attack chain was blocked, the attackers used some savvy techniques so their emails could pass muster. By spoofing an email encryption service like Zix, the phishing email was designed to create a sense of security. And by claiming to offer an encrypted message with an expiration date, the email tried to trigger a sense of urgency and importance.
The email itself was styled closely enough to actual Zix templates so as to pass a casual inspection. Plus, the parent domain used in the attack was a legitimate one to help the emails bypass authentication.
To protect yourself, your users, and your organization from these types of phishing attacks, Armorblox offers the following three tips:
- Beef up your native email security with additional controls. The phishing emails described here snuck past the security built into Microsoft 365, Google Workspace, Microsoft Exchange and Cisco ESA, according to Armorblox. For stronger protection against email attacks and credential phishing attacks, you need to augment your built-in email security with additional layers that take a different approach. Gartner’s Market Guide for Email Security highlights several recent approaches introduced by various vendors.
- Watch out for social engineering clues. When dealing with one email after another, people can all too easily ignore the warning signs of a potential scam. But to avoid being a victim, you need to look at each email with a trained eye. Inspect such elements as the sender’s name, the sender’s email address, the language within the email, and any inconsistencies within the email. With this specific campaign, you might ask such questions as “Why is a Zix link leading to an HTML download?” and “Why is the sender email domain from a third-party organization?”
- Follow password and security best practices. You need to protect and secure your account credentials. That means not using generic passwords, not using passwords based on your date of birth or other identifiable items, and not using the same password on different sites. And since juggling a unique and complex password for each site isn’t feasible, your best bet is to use a password manager to do the hard work for you. Finally, make sure you’ve set up multi-factor authentication on all supported business and personal accounts.