A common tactic emerging amongst adversaries is their use of popular domains to bypass Secure Email Gateway (SEG) protections. In this blog, we dive into those specifics with insights on how organizations can implement robust SIEM detections to help in building a defense-in-depth strategy against these tactics.
SEG Bypass Technique: Popular Domains
Adversaries use legitimate Web services in phishing attacks to bypass Secure Email Gateway protections (SEG). Google and Adobe are among well-known and trusted domains threat actors abuse to avoid being detected by SEG scans and security-aware users. These SEG evasion techniques include delivering an infected document via Google Drive and implanting a URL redirection in an Adobe InDesign file shared online. The risk is that a malicious email reaches a corporate user undetected because the link in the email uses a familiar domain, and results in Email Account Compromise (EAC).
This social engineering technique is especially diabolical when a spear phishing link is received from a trusted, albeit compromised, sender. Even a conscientious user, hovering over a link in an email sent by a known associate, observes an apparently-benign Adobe or Google URL, proceeds to a fraudulent login page and enters their credentials into text boxes masquerading as login fields in a credential harvesting attack.
SEG Bypass Detections using SIEM
Cue robust SIEM detection. A standard Security Information and Event Management (SIEM) alert that generates individual phishing alerts for abused domains is unhelpful. That alert would be too noisy. To truly be effective, it’s necessary to have a system that enables phishing alerts to transcend binary findings of clean versus malicious, and allows the detection to evaluate other indicators and circumstances generally outside the purview of a traditional URL analysis. At Deepwatch, this is made possible through our Dynamic Risk Scoring (DRS) engine.
As part of calculating a risk score, a SIEM can check the email recipient against a list of high-value-target (HVT) users. In this way, the risk of an email link corresponds to the user risk level. An email containing a link to an abused domain should be escalated for further review when the priority or business unit of the recipient presents a risk that a privileged user may be compromised if the email is actually malicious.
A SIEM can also search email subject lines to increase the risk score when language of urgency is detected, which may indicate an attempt to entice the victim to act before the victim questions the message’s integrity. Email subject lines containing words like “invoice” are frequently used in both legitimate business communications and in Business Email Compromise (BEC) attacks. A robust SIEM detection for email security bypass techniques can include a watchlist of subject line indicators, including financial terms commonly used in spear phishing attacks.
SIEM in a Defense-in-Depth Strategy
A mature SIEM operation will also leverage data completely outside the email by searching for suspicious login activity occurring shortly after the email was delivered. A suspicious login under these circumstances can indicate the phishing attack succeeded and the user’s credentials have been compromised. While alerts for impossible travel and foreign authentication require tuning, especially in a high-availability hybrid cloud architecture, DRS can increase alert fidelity by monitoring for a specific attack sequence: a suspicious email followed by a suspicious login. Aggregating multiple SIEM alerts by a single user exemplifies a Defense-in-Depth (DiD) strategy, as this detection methodology spans across disparate technologies to detect attack patterns that otherwise might not be visible because the alerts considered separately are too frequent and lack sufficient fidelity to warrant individual investigations.
Detecting SEG bypass is a valuable use case for a SIEM, highlighting a SIEM’s ability to detect social engineering attacks that target weaknesses or vulnerabilities specific to various services, including security applications. Admittedly the SIEM watchlist needs regular updating for newly-discovered defense evasion techniques, but we can be confident threat actors will continue using the current techniques for as long as those techniques succeed.
References:
https://www.avanan.com/blog/phishing-via-adobe
https://www.linkedin.com/pulse/how-google-amp-phishing-attacks-bypass-email-security
Larry Savidge develops security content for Deepwatch’s Detection Catalog. His talent in Splunk Search Processing Language and detecting malicious activity propelled his rapid career trajectory at Deepwatch from Security Analyst to Detection Engineer to Security Content Management.
Share