Stop Zero-Day Phishing Attacks with a Defense-In-Depth Approach

June 2, 2021
The threat actor behind the SolarWinds attack, the Russian-based Nobelium, has orchestrated another successful vendor email compromise attack, this time targeting the United States Agency for International Development (USAID). According to Microsoft’s Threat Intelligence Center, Nobelium compromised the USAID’s Constant Contact account to send phishing emails that included links containing malware.

The incident highlights how zero-day, never-before-seen phishing attacks from compromised vendors (USAID) are getting past traditional email defenses that rely on threat intelligence. They exploit trusted communications between vendors and customers through personalization and social engineering.

To stop these attacks, a defense-in-depth approach is needed, one that combines Microsoft threat intelligence protection for spam, graymail, and malware with Abnormal’s behavioral data science approach that protects against never-before-seen, socially-engineered attacks.

The attack itself represents the third high-profile, socially-engineered phishing attack this year, with SolarWinds and the Colonial Pipeline attack, which we can surmise both started with credential phishing attempts of a vendor or employee email account.

Microsoft describes how Windows Defender caught the USAID attack, but acknowledges that some detection systems may have “successfully delivered” emails due to configurations, policy settings, and prior detections in place.

This new wide-scale email campaign leverages the legitimate service Constant Contact to send malicious links that were obscured behind the mailing service’s URL (many email and document services provide a mechanism to simplify the sharing of files, providing insights into who and when links are clicked). Due to the high volume of emails distributed in this campaign, automated email threat detection systems blocked most of the malicious emails and marked them as spam. However, some automated threat detection systems may have successfully delivered some of the earlier emails to recipients either due to configuration and policy settings or prior to detections being in place.

New sophisticated email-based attack from NOBELIUM, Microsoft Threat Intelligence Center

The successful delivery of phishing emails highlights the over-reliance on threat intelligence and traditional indicators of compromise (IOCs), which needs to collect and evaluate the incident first before blocking it going forward.

Cyber threat intelligence is what cyber threat information becomes once it has been collected, evaluated in the context of its source and reliability, and analyzed through rigorous and structured tradecraft techniques by those with substantive expertise and access to all-source information.

What is Cyber Threat Intelligence?, Center for Internet Security

However, a never-before-seen, zero-day attack such as the USAID incident lacks traditional IOCs since there is no prior context to analyze. The sender, an authenticated yet compromised Constant Contact marketing automation account, did not trigger authentication alarms. And the payload, a malicious URL, directed targets to a legitimate Constant Contact service and then “redirected to NOBELIUM-controlled infrastructure where a malicious file is then delivered to the system.”

In the case of this attack, Abnormal Security would have automatically detected the threat based on abnormal behavioral patterns, and thus remediated the threat before it reached inboxes. Our behavioral data science approach profiles and baselines good behavior to detect anomalies. We have observed an increasing number of advanced malware and phishing attacks obfuscating malicious content behind links leading to unknown websites. To detect these attacks and detect malicious intent, we crawl these links, such as the one found in the USAID attack, to analyze the landing page or malicious file.

We deliver this approach through a cloud-native email security platform that can be deployed instantly through a one-click API integration and can be used to extend and complement Microsoft Office 365 threat-intelligence-based approach as well as existing third-party wecure email gateways.

Our API-level access allows Abnormal to provide complete protection against the full spectrum of email threats including spam and graymail, as well as advanced never-before-seen, socially engineered attacks including executive impersonations and employee and vendor compromises.

To protect your organization from never-before-seen attacks that bypass threat intelligence-based solutions, request a demo of the Abnormal Securtiy platform.

Previous
Blog podcast purple cover
As VP of Engineering here at Abnormal Security, I’ve had numerous conversations with our team, venture capitalists, and external engineering leaders about the challenges of building and leading engineering teams. Building applied machine learning products at scale requires solving a wide range of challenges...
Read More
Next
Blog ideas cover
If you’re a podcast fan and haven’t subscribed to Masters of Scale yet, I’d highly recommend it. Reid Hoffman, one of the most successful entrepreneurs and investors of our time—cofounder of LinkedIn and investor in companies like Facebook, Airbnb, and Zynga—is the host, and he shares...
Read More

Related Posts

B 10 15 21
With Detection 360, submission to threat containment just got 94% faster, making it incredibly easy for customers to submit false positives or missed attacks, and get real-time updates from Abnormal on investigation, conclusion, and remediation.
Read More
Extortion blog cover
Unfortunately, physically threatening extortion attempts sent via email continue to impact companies and public institutions when received—disrupting business, intimidating employees, and occasioning costly responses from public safety.
Read More
Blog engineering cybersecurity careers
Cybersecurity Careers Awareness Week is a great opportunity to explore key careers in information security, particularly as there are an estimated 3.1 million unfilled cybersecurity jobs. This disparity means that cybercriminals are taking advantage of the situation, sending more targeted attacks and seeing greater success each year.
Read More
Blog hiring cybersecurity leaders
As with every equation, there are always two sides and while it can be easy to blame users when they fall victim to scams and attacks, we also need to examine how we build and staff security teams.
Read More
Cover automated ato
With an increase in threat actor attention toward compromising accounts, Abnormal is focused on protecting our customers from this potentially high-profile threat. We are pleased to announce that our new Automated Account Takeover (ATO) Remediation functionality is available.
Read More
Email spoofing cover
Email spoofing is a common form of phishing attack designed to make the recipient believe that the message originates from a trusted source. A spoofed email is more than just a nuisance—it’s a malicious communication that poses a significant security threat.
Read More
Cover cybersecurity month kickoff
It’s time to turn the page on the calendar, and we are finally in October—the one month of the year when the spooky becomes reality. October is a unique juncture in the year as most companies are making the mad dash to year-end...
Read More
Ices announcement cover
Abnormal ICES offers all-in-one email security, delivering a precise approach to combat the full spectrum of email-borne threats. Powered by behavioral AI technology and deeply integrated with Microsoft 365...
Read More
Account takeover cover
Account takeovers are one of the biggest threats facing organizations of all sizes. They happen when cybercriminals gain legitimate login credentials and then use those credentials to send more attacks, acting like the person...
Read More
Blog podcast green cover
Many companies aspire to be customer-centric, but few find a way to operationalize customer-centricity into their team’s culture. As a 3x SaaS startup founder, most recently at Orum, and a veteran of Facebook and Palantir, Ayush Sood...
Read More
Blog attack atlassian cover
Credential phishing links are most commonly sent by email, and they typically lead to a website that is designed to look like common applications—most notably Microsoft Office 365, Google, Amazon, or other well-known...
Read More
Blog podcast purple cover
Working at hyper-growth startups usually means that unreasonable expectations will be thrust on individuals and teams. Demanding timelines, goals, and expectations can lead to high pressure, stress, accountability, and ultimately, extraordinary growth and achievements.
Read More