Stop Zero-Day Phishing Attacks with a Defense-In-Depth Approach

June 2, 2021
The threat actor behind the SolarWinds attack, the Russian-based Nobelium, has orchestrated another successful vendor email compromise attack, this time targeting the United States Agency for International Development (USAID). According to Microsoft’s Threat Intelligence Center, Nobelium compromised the USAID’s Constant Contact account to send phishing emails that included links containing malware.

The incident highlights how zero-day, never-before-seen phishing attacks from compromised vendors (USAID) are getting past traditional email defenses that rely on threat intelligence. They exploit trusted communications between vendors and customers through personalization and social engineering.

To stop these attacks, a defense-in-depth approach is needed, one that combines Microsoft threat intelligence protection for spam, graymail, and malware with Abnormal’s behavioral data science approach that protects against never-before-seen, socially-engineered attacks.

The attack itself represents the third high-profile, socially-engineered phishing attack this year, with SolarWinds and the Colonial Pipeline attack, which we can surmise both started with credential phishing attempts of a vendor or employee email account.

Microsoft describes how Windows Defender caught the USAID attack, but acknowledges that some detection systems may have “successfully delivered” emails due to configurations, policy settings, and prior detections in place.

This new wide-scale email campaign leverages the legitimate service Constant Contact to send malicious links that were obscured behind the mailing service’s URL (many email and document services provide a mechanism to simplify the sharing of files, providing insights into who and when links are clicked). Due to the high volume of emails distributed in this campaign, automated email threat detection systems blocked most of the malicious emails and marked them as spam. However, some automated threat detection systems may have successfully delivered some of the earlier emails to recipients either due to configuration and policy settings or prior to detections being in place.

New sophisticated email-based attack from NOBELIUM, Microsoft Threat Intelligence Center

The successful delivery of phishing emails highlights the over-reliance on threat intelligence and traditional indicators of compromise (IOCs), which needs to collect and evaluate the incident first before blocking it going forward.

Cyber threat intelligence is what cyber threat information becomes once it has been collected, evaluated in the context of its source and reliability, and analyzed through rigorous and structured tradecraft techniques by those with substantive expertise and access to all-source information.

What is Cyber Threat Intelligence?, Center for Internet Security

However, a never-before-seen, zero-day attack such as the USAID incident lacks traditional IOCs since there is no prior context to analyze. The sender, an authenticated yet compromised Constant Contact marketing automation account, did not trigger authentication alarms. And the payload, a malicious URL, directed targets to a legitimate Constant Contact service and then “redirected to NOBELIUM-controlled infrastructure where a malicious file is then delivered to the system.”

In the case of this attack, Abnormal Security would have automatically detected the threat based on abnormal behavioral patterns, and thus remediated the threat before it reached inboxes. Our behavioral data science approach profiles and baselines good behavior to detect anomalies. We have observed an increasing number of advanced malware and phishing attacks obfuscating malicious content behind links leading to unknown websites. To detect these attacks and detect malicious intent, we crawl these links, such as the one found in the USAID attack, to analyze the landing page or malicious file.

We deliver this approach through a cloud-native email security platform that can be deployed instantly through a one-click API integration and can be used to extend and complement Microsoft Office 365 threat-intelligence-based approach as well as existing third-party wecure email gateways.

Our API-level access allows Abnormal to provide complete protection against the full spectrum of email threats including spam and graymail, as well as advanced never-before-seen, socially engineered attacks including executive impersonations and employee and vendor compromises.

To protect your organization from never-before-seen attacks that bypass threat intelligence-based solutions, request a demo of the Abnormal Securtiy platform.

Image

Prevent the Attacks That Matter Most

Get the Latest Email Security Insights

Subscribe to our newsletter to receive updates on the latest attacks and new trends in the email threat landscape.

0
Demo 2x 1

See the Abnormal Solution to the Email Security Problem

Protect your organization from the attacks that matter most with Abnormal Integrated Cloud Email Security.

Related Posts

B 09 29 22 CISO Cybersecurity Awareness Month
October is here, which means Cybersecurity Awareness Month is officially in full swing! These five tips can help security leaders take full advantage of the month.
Read More
B Email Security Challenges Blog 09 26 22
Understanding common email security challenges caused by your legacy technology will help you determine the best solution to improve your security posture.
Read More
B 5 Crucial Tips
Retailers are a popular target for threat actors due to their wealth of customer data and availability of funds. Here are 5 cybersecurity tips to help retailers reduce their risk of attack.
Read More
B 3 Essential Elements
Legacy approaches to managing unwanted mail are neither practical nor scalable. Learn the 3 essential elements of modern, effective graymail management.
Read More
B Back to School
Discover how threat group Chiffon Herring leverages impersonation and spoofed email addresses to divert paychecks to mule accounts.
Read More
B 09 06 22 Rearchitecting a System Blog
We recently shared a look at how the Abnormal engineering team overhauled our Unwanted Mail service architecture to accommodate our rapid growth. Today, we’re diving into how the team migrated traffic to the new architecture—with zero downtime.
Read More
B Industry Leading CIS Os
Stay up to date on the latest cybersecurity trends, industry news, and best practices by following these 12 innovative and influential thought leaders on social media.
Read More
B Podcast Engineering 11 08 24 22
In episode 11 of Abnormal Engineering Stories, David Hagar, Director of Engineering and Abnormal Head of UK Engineering, continues his conversation with Zehan Wang, co-founder of Magic Pony.
Read More
B Overhauled Architecture Blog 08 29 22
As our customer base has expanded, so has the volume of emails our system processes. Here’s how we overcame scaling challenges with one service in particular.
Read More