chat
expand_more

Bypassing SEGs By Abusing Compromised Personal Email Accounts: Real-World Examples

Discover how real-world attackers abuse compromised personal email accounts to elicit response and realize financial and informational gain.
May 2, 2023

Threat actors are becoming more sophisticated by the minute, using various tactics to bypass traditional security methods such as secure email gateways (SEGs). In a series of recent articles, we have explored some of these tactics in greater detail, including multi-step phishing, OAuth phishing, payment/invoice fraud, and abused open redirects. These are all dangerous threats that, if left undetected, can wreak havoc on an organization.

Today’s installment in the series will explore how attackers can bypass SEGs by abusing compromised personal email accounts. Understanding how cybercriminals are exploiting vulnerabilities in personal email accounts enables organizations to take the necessary measures to secure their systems from further malicious activities. Throughout this article, I will examine the elements of a real-world compromised personal email account attack, and how Abnormal prevented it.

How Compromised Personal Email Accounts Bypass the SEG

In the examples below, we will see messages that touch many, if not all, of these SEG bypass factors:

  • Attackers compromise a legitimate personal email account (Gmail, Yahoo, ATT, etc.).
  • The compromised account is used to send payload-less malicious emails (text-only).
  • Social engineering tactics are used to elicit user engagement, normally leading to financial loss.

Example 1: Barracuda

The first example email originates from a real att.net account.

SEG 1

This email originates from a real att.net account, which does not carry a poor reputation, nor does its sending MTA, as you can see from the MX Toolbox results below:

SEG 2

ATT.net does not have SPF or DMARC records published, so the message cannot effectively be analyzed via Email Authentication.

In examining the body of the message, there are no links or attachments, simply a question about whether the intended recipient orders from Amazon.

The SEG (Barracuda in this case), scored this message pretty low, even with their custom rules invoked, identifying this message as spam based on an empty ‘To’ field and an apparent ‘Reply-To’ mismatch:

SEG 33

So how did Abnormal Security detect and mitigate the risk of this message?

SEG 3

Abnormal Security noticed a number of contextual anomalies including an unusual sender, abnormal recipient pattern, abnormal email signoff, potential personal information theft, and an unusual ‘Reply-To’ domain. These anomalies, when paired with content analysis, made the message a very obvious detection, as highlighted above.

Example 2: Proofpoint

The next example is nearly identical, but bypasses a different SEG and modifies the ‘Reply-To’ to go back to Yahoo, rather than Gmail.

SEG 4

This email originates from a real att.net account, which does not carry a poor reputation, nor does its sending MTA, as you can see in the MX Toolbox results below:

SEG 5

ATT.net does not have SPF or DMARC records published, so the message cannot effectively be analyzed via Email Authentication.

SEG 6

In examining the body of the message, there are no links or attachments, simply a question about whether the intended recipient orders from Amazon.

The SEG (Proofpoint in this case), scored this message pretty low, but agreed with Abnormal’s assessment that the message came from an unknown sender, based on the “unknownsederscore=20” value that is present here:

SEG 7

So how did Abnormal Security detect and mitigate the risk of this message?

SEG 8

Abnormal Security noticed a number of contextual anomalies that, when paired with content analysis, made the message a very obvious detection, as highlighted above.

Example 3: Mimecast

This last example is very similar in practice, but rather than seeking some sort of immediate financial fraud (gift card, fraudulent purchase), the attacker’s eventual goal is not immediately apparent. The message begins by detailing an injury that required surgery.

SEG 9

These messages, when engagement is possible, often lead to disclosure of company policies regarding Insurance, PTO and Sick Leave, FMLA, and other internal process information. Some attackers also seek some sort of payment under the guise of a gift.

This originates from a real AOL account, which does not carry a poor reputation, nor does its sending MTA as seen in the MX Toolbox results below.

SEG 10

AOL does leverage SPF, DKIM, and DMARC, which were all successful in this case, making detection based on email authentication results impossible:

SEG 11

In examining the body of the message, there are no links or attachments, simply a note that someone has taken a fall and required surgery.

The SEG (Mimecast in this case), scored this message pretty low across spam scoring and Impersonation Protect:

SEG 12
SEG 13

A Spam Score of 2 will not trigger relaxed, moderate, or aggressive spam actions from Mimecast.

The Impersonation Protect headers are also interesting, as we see that the Policy used to filter the message is called “Tag Inbound as External” meaning that this policy probably is only tagging messages as external, rather than actively leveraging the condition and “number of hits” settings to actively identify fraud/impersonation.

For those who don’t know, Impersonation Protect is a feature that attempts to detect display name and domain impersonation by identifying various conditions in a potentially-malicious email, requiring a “number of hits” before the message is actioned.

So how did Abnormal Security detect and mitigate the risk of this message?

SEG 14

Abnormal Security noticed a number of contextual anomalies that, when paired with content analysis, made the message a very obvious detection, as highlighted above.

How Abnormal Protects You From Compromised Personal Email Accounts:

Abnormal's innovative platform goes beyond conventional SEGs, providing real-time threat intelligence and actionable insights to security teams.

By analyzing email behavior patterns and context, Abnormal identifies anomalies indicative of zero-day threats, even in the absence of known indicators. Among the three examples above, there are many unique data signals that are used to render high-level summaries. These are triggered by factors such as unusual senders, suspicious body content, unusual financial requests, and more.

Abnormal’s proactive approach leveraging advanced AI and machine learning algorithms ensures comprehensive protection against zero-day threats, bolstering the resilience of organizations in the face of ever-changing cyber risks.

Interested in learning more about how Abnormal can protect you from advanced attacks?

Schedule a Demo
Bypassing SEGs By Abusing Compromised Personal Email Accounts: Real-World Examples

See Abnormal in Action

Get a Demo

Get the Latest Email Security Insights

Subscribe to our newsletter to receive updates on the latest attacks and new trends in the email threat landscape.

Get AI Protection for Your Human Interactions

Protect your organization from socially-engineered email attacks that target human behavior.
Request a Demo
Request a Demo

Related Posts

B Proofpoint Customer Story Blog 8
A Fortune 500 transportation and logistics leader blocked more than 6,700 attacks missed by Proofpoint and reclaimed 350 SOC hours per month by adding Abnormal to its security stack.
Read More
B Gartner MQ 2024 Announcement Blog
Abnormal Security was named a Leader in the 2024 Gartner Magic Quadrant for Email Security Platforms and positioned furthest for Completeness of Vision.
Read More
B Gift Card Scams Tricker to Spot Blog
Learn why gift card scams are becoming more difficult to identify, how cybercriminals evolve their tactics, and strategies to protect your organization.
Read More
B Offensive AI 12 16 24
Learn how AI is used in cybersecurity, what defensive AI vs. offensive AI means, and how to use defensive AI to combat offensive AI.
Read More
B Proofpoint Customer Story Blog 7
See how Abnormal's AI helped a Fortune 500 insurance provider detect 27,847 threats missed by Proofpoint and save 6,600+ hours in employee productivity.
Read More
B Cyberattack Forecast Emerging Threats Blog
Uncover the latest email threats and strategies to strengthen your cybersecurity and prepare for 2025.
Read More