chat
expand_more

Bypassing SEGs By Abusing Compromised Personal Email Accounts: Real-World Examples

Discover how real-world attackers abuse compromised personal email accounts to elicit response and realize financial and informational gain.
May 2, 2023

Threat actors are becoming more sophisticated by the minute, using various tactics to bypass traditional security methods such as secure email gateways (SEGs). In a series of recent articles, we have explored some of these tactics in greater detail, including multi-step phishing, OAuth phishing, payment/invoice fraud, and abused open redirects. These are all dangerous threats that, if left undetected, can wreak havoc on an organization.

Today’s installment in the series will explore how attackers can bypass SEGs by abusing compromised personal email accounts. Understanding how cybercriminals are exploiting vulnerabilities in personal email accounts enables organizations to take the necessary measures to secure their systems from further malicious activities. Throughout this article, I will examine the elements of a real-world compromised personal email account attack, and how Abnormal prevented it.

How Compromised Personal Email Accounts Bypass the SEG

In the examples below, we will see messages that touch many, if not all, of these SEG bypass factors:

  • Attackers compromise a legitimate personal email account (Gmail, Yahoo, ATT, etc.).
  • The compromised account is used to send payload-less malicious emails (text-only).
  • Social engineering tactics are used to elicit user engagement, normally leading to financial loss.

Example 1: Barracuda

The first example email originates from a real att.net account.

SEG 1

This email originates from a real att.net account, which does not carry a poor reputation, nor does its sending MTA, as you can see from the MX Toolbox results below:

SEG 2

ATT.net does not have SPF or DMARC records published, so the message cannot effectively be analyzed via Email Authentication.

In examining the body of the message, there are no links or attachments, simply a question about whether the intended recipient orders from Amazon.

The SEG (Barracuda in this case), scored this message pretty low, even with their custom rules invoked, identifying this message as spam based on an empty ‘To’ field and an apparent ‘Reply-To’ mismatch:

SEG 33

So how did Abnormal Security detect and mitigate the risk of this message?

SEG 3

Abnormal Security noticed a number of contextual anomalies including an unusual sender, abnormal recipient pattern, abnormal email signoff, potential personal information theft, and an unusual ‘Reply-To’ domain. These anomalies, when paired with content analysis, made the message a very obvious detection, as highlighted above.

Example 2: Proofpoint

The next example is nearly identical, but bypasses a different SEG and modifies the ‘Reply-To’ to go back to Yahoo, rather than Gmail.

SEG 4

This email originates from a real att.net account, which does not carry a poor reputation, nor does its sending MTA, as you can see in the MX Toolbox results below:

SEG 5

ATT.net does not have SPF or DMARC records published, so the message cannot effectively be analyzed via Email Authentication.

SEG 6

In examining the body of the message, there are no links or attachments, simply a question about whether the intended recipient orders from Amazon.

The SEG (Proofpoint in this case), scored this message pretty low, but agreed with Abnormal’s assessment that the message came from an unknown sender, based on the “unknownsederscore=20” value that is present here:

SEG 7

So how did Abnormal Security detect and mitigate the risk of this message?

SEG 8

Abnormal Security noticed a number of contextual anomalies that, when paired with content analysis, made the message a very obvious detection, as highlighted above.

Example 3: Mimecast

This last example is very similar in practice, but rather than seeking some sort of immediate financial fraud (gift card, fraudulent purchase), the attacker’s eventual goal is not immediately apparent. The message begins by detailing an injury that required surgery.

SEG 9

These messages, when engagement is possible, often lead to disclosure of company policies regarding Insurance, PTO and Sick Leave, FMLA, and other internal process information. Some attackers also seek some sort of payment under the guise of a gift.

This originates from a real AOL account, which does not carry a poor reputation, nor does its sending MTA as seen in the MX Toolbox results below.

SEG 10

AOL does leverage SPF, DKIM, and DMARC, which were all successful in this case, making detection based on email authentication results impossible:

SEG 11

In examining the body of the message, there are no links or attachments, simply a note that someone has taken a fall and required surgery.

The SEG (Mimecast in this case), scored this message pretty low across spam scoring and Impersonation Protect:

SEG 12
SEG 13

A Spam Score of 2 will not trigger relaxed, moderate, or aggressive spam actions from Mimecast.

The Impersonation Protect headers are also interesting, as we see that the Policy used to filter the message is called “Tag Inbound as External” meaning that this policy probably is only tagging messages as external, rather than actively leveraging the condition and “number of hits” settings to actively identify fraud/impersonation.

For those who don’t know, Impersonation Protect is a feature that attempts to detect display name and domain impersonation by identifying various conditions in a potentially-malicious email, requiring a “number of hits” before the message is actioned.

So how did Abnormal Security detect and mitigate the risk of this message?

SEG 14

Abnormal Security noticed a number of contextual anomalies that, when paired with content analysis, made the message a very obvious detection, as highlighted above.

How Abnormal Protects You From Compromised Personal Email Accounts:

Abnormal's innovative platform goes beyond conventional SEGs, providing real-time threat intelligence and actionable insights to security teams.

By analyzing email behavior patterns and context, Abnormal identifies anomalies indicative of zero-day threats, even in the absence of known indicators. Among the three examples above, there are many unique data signals that are used to render high-level summaries. These are triggered by factors such as unusual senders, suspicious body content, unusual financial requests, and more.

Abnormal’s proactive approach leveraging advanced AI and machine learning algorithms ensures comprehensive protection against zero-day threats, bolstering the resilience of organizations in the face of ever-changing cyber risks.

Interested in learning more about how Abnormal can protect you from advanced attacks?

Schedule a Demo
Bypassing SEGs By Abusing Compromised Personal Email Accounts: Real-World Examples

See Abnormal in Action

Get a Demo

Get the Latest Email Security Insights

Subscribe to our newsletter to receive updates on the latest attacks and new trends in the email threat landscape.

 

See the Abnormal Solution to the Email Security Problem

Protect your organization from the full spectrum of email attacks with Abnormal.

 
Integrates Insights Reporting 09 08 22

Related Posts

B Earn Your CPE Credits with Abnormal
Earn your continuing education credits with ISC2 by viewing cybersecurity content from Abnormal Security.
Read More
B Seg Lessons
Discover key insights gleaned from replacing 100+ SEGs for Abnormal customers.
Read More
B Europe Attack Data Blog
Discover what our research uncovered about the European threat landscape and attack trends for organizations in the region.
Read More
B SAT
Abnormal aims to provide superior detection of email attacks while also directly and indirectly influencing the security awareness of your employees.
Read More
B 6 3 24 BEC Attacks
Discover how cybercriminals obtain corporate data from brokers like ZoomInfo and Apollo to enable targeted business email compromise (BEC) attacks.
Read More
B Addressing Account Takeovers Blog
Discover how security leaders are protecting their organizations against account takeover with insights from our survey of 300 cybersecurity stakeholders.
Read More