chat
expand_more

Bypassing SEGs By Abusing Compromised Personal Email Accounts: Real-World Examples

Discover how real-world attackers abuse compromised personal email accounts to elicit response and realize financial and informational gain.
May 2, 2023

Threat actors are becoming more sophisticated by the minute, using various tactics to bypass traditional security methods such as secure email gateways (SEGs). In a series of recent articles, we have explored some of these tactics in greater detail, including multi-step phishing, OAuth phishing, payment/invoice fraud, and abused open redirects. These are all dangerous threats that, if left undetected, can wreak havoc on an organization.

Today’s installment in the series will explore how attackers can bypass SEGs by abusing compromised personal email accounts. Understanding how cybercriminals are exploiting vulnerabilities in personal email accounts enables organizations to take the necessary measures to secure their systems from further malicious activities. Throughout this article, I will examine the elements of a real-world compromised personal email account attack, and how Abnormal prevented it.

How Compromised Personal Email Accounts Bypass the SEG

In the examples below, we will see messages that touch many, if not all, of these SEG bypass factors:

  • Attackers compromise a legitimate personal email account (Gmail, Yahoo, ATT, etc.).
  • The compromised account is used to send payload-less malicious emails (text-only).
  • Social engineering tactics are used to elicit user engagement, normally leading to financial loss.

Example 1: Barracuda

The first example email originates from a real att.net account.

SEG 1

This email originates from a real att.net account, which does not carry a poor reputation, nor does its sending MTA, as you can see from the MX Toolbox results below:

SEG 2

ATT.net does not have SPF or DMARC records published, so the message cannot effectively be analyzed via Email Authentication.

In examining the body of the message, there are no links or attachments, simply a question about whether the intended recipient orders from Amazon.

The SEG (Barracuda in this case), scored this message pretty low, even with their custom rules invoked, identifying this message as spam based on an empty ‘To’ field and an apparent ‘Reply-To’ mismatch:

SEG 33

So how did Abnormal Security detect and mitigate the risk of this message?

SEG 3

Abnormal Security noticed a number of contextual anomalies including an unusual sender, abnormal recipient pattern, abnormal email signoff, potential personal information theft, and an unusual ‘Reply-To’ domain. These anomalies, when paired with content analysis, made the message a very obvious detection, as highlighted above.

Example 2: Proofpoint

The next example is nearly identical, but bypasses a different SEG and modifies the ‘Reply-To’ to go back to Yahoo, rather than Gmail.

SEG 4

This email originates from a real att.net account, which does not carry a poor reputation, nor does its sending MTA, as you can see in the MX Toolbox results below:

SEG 5

ATT.net does not have SPF or DMARC records published, so the message cannot effectively be analyzed via Email Authentication.

SEG 6

In examining the body of the message, there are no links or attachments, simply a question about whether the intended recipient orders from Amazon.

The SEG (Proofpoint in this case), scored this message pretty low, but agreed with Abnormal’s assessment that the message came from an unknown sender, based on the “unknownsederscore=20” value that is present here:

SEG 7

So how did Abnormal Security detect and mitigate the risk of this message?

SEG 8

Abnormal Security noticed a number of contextual anomalies that, when paired with content analysis, made the message a very obvious detection, as highlighted above.

Example 3: Mimecast

This last example is very similar in practice, but rather than seeking some sort of immediate financial fraud (gift card, fraudulent purchase), the attacker’s eventual goal is not immediately apparent. The message begins by detailing an injury that required surgery.

SEG 9

These messages, when engagement is possible, often lead to disclosure of company policies regarding Insurance, PTO and Sick Leave, FMLA, and other internal process information. Some attackers also seek some sort of payment under the guise of a gift.

This originates from a real AOL account, which does not carry a poor reputation, nor does its sending MTA as seen in the MX Toolbox results below.

SEG 10

AOL does leverage SPF, DKIM, and DMARC, which were all successful in this case, making detection based on email authentication results impossible:

SEG 11

In examining the body of the message, there are no links or attachments, simply a note that someone has taken a fall and required surgery.

The SEG (Mimecast in this case), scored this message pretty low across spam scoring and Impersonation Protect:

SEG 12
SEG 13

A Spam Score of 2 will not trigger relaxed, moderate, or aggressive spam actions from Mimecast.

The Impersonation Protect headers are also interesting, as we see that the Policy used to filter the message is called “Tag Inbound as External” meaning that this policy probably is only tagging messages as external, rather than actively leveraging the condition and “number of hits” settings to actively identify fraud/impersonation.

For those who don’t know, Impersonation Protect is a feature that attempts to detect display name and domain impersonation by identifying various conditions in a potentially-malicious email, requiring a “number of hits” before the message is actioned.

So how did Abnormal Security detect and mitigate the risk of this message?

SEG 14

Abnormal Security noticed a number of contextual anomalies that, when paired with content analysis, made the message a very obvious detection, as highlighted above.

How Abnormal Protects You From Compromised Personal Email Accounts:

Among these three examples, there are many unique data signals that are used to render high-level summaries. These are triggered by factors such as unusual senders, suspicious body content, unusual financial requests, and more. Ultimately, Abnormal Security’s unique approach to threat detection, which leverages an ensemble of behavioral data science and content analysis, allows us to mitigate the risk of sophisticated campaigns, protecting your organization from the broadest spectrum of attacks.

Interested in learning more about how Abnormal can protect you from advanced attacks?

Schedule a Demo
Bypassing SEGs By Abusing Compromised Personal Email Accounts: Real-World Examples

See Abnormal in Action

Schedule a Demo

Get the Latest Email Security Insights

Subscribe to our newsletter to receive updates on the latest attacks and new trends in the email threat landscape.

 

See the Abnormal Solution to the Email Security Problem

Protect your organization from the full spectrum of email attacks with Abnormal.

See a Demo
 
Integrates Insights Reporting 09 08 22

Related Posts

B 2024 Cybersecurity Predictions
As AI becomes more prevalent in the new year, discover how our experts believe the world will change—for both good and bad.
Read More
B 11 27 23 ATO Stats
Account takeover allows threat actors to steal sign-in credentials and access an organization's network. Read some eye-popping stats about ATO cost and frequency.
Read More
B Unmasking Vendor Fraud
Learn about the techniques, tools, and technologies we use to train the models that form the backbone of our vendor fraud detection.
Read More
B ISC2
Get the latest insights from the 2023 ISC2 Cybersecurity Workforce Study, including which skills are most sought-after, how careers have changed, and how AI is affecting the industry.
Read More
B Good Bad Ugly Future of AI
Hear about positive and malicious use cases of AI and how to protect against novel threats in this recap from Chapter 3 of our Convergence of AI + Cybersecurity series.
Read More
B Cryptocurrency Donations Attack
Attackers attempt to solicit fraudulent donations via cryptocurrency transfers under the guise of collecting donations for children in Palestine.
Read More