Bypassing SEGs with Multi-Step Phishing: A Real-World Example

Email security has evolved over the past two decades, and there is little denying that secure email gateways, or SEGs, were once useful preventative tools to stop attacks targeting organizations. And while SEGs have proven to be effective in protecting email recipients from known threats, they are not immune to the sophisticated techniques used by modern targeted email threats.

In this series, we will explore the gaps present in the protection offered by secure email gateways, and how threat actors are finding innovative ways to bypass these systems. This series will also provide examples of real-world attacks and show how Abnormal Security can better detect and remediate these advanced email threats to provide superior email protection.

When secure email gateways first came into existence there was much fanfare because they were very effective at securing email from common email threats—especially those with payloads. And even today, despite their reliance on dated reputation lists and known threat intelligence limitations, SEGs still have a place in a cybersecurity tech stack for many organizations.

SEGs work much like firewalls, protecting your email environment from known threats and adhering to rules that allow email traffic to flow in and out of the email platform. When you have a mountain of email traffic coming in and out of your organization, an SEG is effective at filtering these known threats out of the email tenant at scale.

While SEGs are great at leveraging threat intelligence in the past, they are ineffective against never-seen threats and the social engineering tactics used by modern and targeted email threat actors.

With the knowledge of how SEGs work, threat actors have evolved their tactics, leveraging positive signals and removing negative signals in order to bypass the tools put in place to thwart them. Some examples of positive signals include:

• Sending a message from a legitimate email account that the cybercriminal has compromised.

• Sending a Message via legitimate sending infrastructure that passes authentication checks like SPF, DKIM, and DMARC.

• Messages that do one (or multiple) of the following things:

• Leverage multiple stages for phishing or malware payload delivery.

• Attempt to install third-party OAuth applications into target accounts.

• Seek engagement outside of email, such as over the phone or a service like WhatsApp.

• Attempt to secure false payments or reroute valid payments to attacker bank accounts.

By leveraging positive signals and removing negative signals, threat actors are able to evade traditional threat detection techniques that rely on intelligence, signatures, and heuristics based on those signatures.

To get a taste of a common attack type allowed by SEGs, let’s take a look at two attacks that leverage multi-stage payload delivery, where the first stage is hosted on legitimate content platforms. In many cases, these platforms are Adobe, Canva, Confluence, Jotform, SharePoint, or a similar service, all of which are used due to the implicit trust that users have in them.

Using SharePoint to Trick Microsoft 365 Users
In the phishing example below, the email message itself has minimal content and the URL points to what appears to be a legitimate SharePoint site. In actuality, this link leads the user to a temporarily-abused SharePoint site that prompts them to make a second click, which leads to the actual phishing page.

The email bypasses the traditional checks by the SEG because it is sent from prod.outlook.com servers and thus passes SPM and DKIM authentication. Below you can see that this was sent from a legitimate SEG’s (MX record), traversed Microsoft 365, and was ultimately delivered to the user’s mailbox:

When the recipient clicks on the “Open” button in the email, they are redirected to a real SharePoint page. And because this is not an inherently malicious link, the SEG is unlikely to understand that the SharePoint file is actually hosting a second (malicious) link. Upon clicking this second link, the user is led to the actual phishing page shown here.

At this point, clicking the “View” link will lead to the following site to capture the Microsoft login credentials.

Because this link leads to a Microsoft 365 login directly from a SharePoint site, the user is unlikely to notice a discrepancy and may then input their credentials in order to see the document referenced in the original email.

Using Google Sites for Credential Theft

Let’s look at another example that is similar in approach, but which abuses a different content platform.

Because this message comes from a legitimate email account, sender authentication is successful.

In looking at the message headers, we see that this message was sent from a Microsoft 365 account.

When recipients click on the “Review Document” button, they will be taken to a temporarily-abused Google Sites page that prompts a second click to the actual phishing page:

At this point, clicking the “PRESS HERE TO VIEW/DOWNLOAD DOCUMENT” will send the user to the following link that redirects them to a phishing page:

We continue to see many variations of this type of email attack and they continue to get more and more sophisticated, making it increasingly difficult for organizations to protect themselves from malicious actors. These advanced email attacks can bypass security solutions such as secure email gateways (SEGs), which makes it essential for organizations to understand the different types of email attacks and how to prevent them.

While these attacks bypass SEGs, tools like Abnormal that use behavioral AI can detect them using thousands of diverse signals across identity and content. Abnormal takes the signals derived from an API integration with your cloud email platform in order to build profiles of every identity and entity in your environment—establishing a known baseline from which to detect anomalies.

As a result, organizations can either augment or replace their secure email gateway, providing multiple ways to better secure your environment. While many organizations choose to replace their secure email gateway entirely, Abnormal can also augment native security features in Microsoft and Google to provide superior protection without the need for the additional expense.

But don't take our word for it, Abnormal customers are seeing the difference. As one CISO in the healthcare industry stated, “We needed better efficacy for email filtering as the traditional SEG was letting way too much through to our users. Abnormal is an excellent email security platform that catches more than SEGs.”

That's why two-thirds of our customers choose to use Abnormal as a standalone security solution, augmenting their native platform protection. We continue to solve the most advanced attacks, including the multi-step phishing attacks described here. For more insight into the types of attacks Abnormal can stop, check out a full library of attacks we've stopped on Abnormal Intelligence.

Join us over the next few weeks, as we delve into more modern attack types that seek victim engagement outside of monitored channels, attempt to install OAuth applications, and seek direct financial gain through nuanced payment approaches. Throughout the series, we’ll showcase how Abnormal detects and remediates them, and why organizations worldwide are seeing 278% ROI with Abnormal.

Interested in learning more about how Abnormal can supplement or replace your SEG to stop multi-step phishing attacks and other advanced threats? Schedule a demo today!