Email Security Blog

How to Stop Phishing Message Voicemail Attacks

Jacob Rideout September 25, 2019 Email Security

At Agari we often talk about the evolving nature of advanced email attacks and the identity deception tactics that go with them. These attacks bypass legacy controls and like a magician delighting a curious audience, they trick the human psyche by targeting core human emotions such as fear, anxiety and curiosity. Of course, the magic in this case comes with ill intent.

A good example of a sophisticated attack and one that we address in the Agari Fall’19 release is the use of email with voice message attachments to execute phishing schemes. Here’s how they work.

A plain text email sent by a cybercriminal sails right through the secure email gateway (SEG) and lands in an employee inbox. It might contain what looks like a partial transcript and for Office365 environments might come with an EML file attachment. These attachments can contain hyperlinks and attachments and are blocked less frequently by the SEG.

With a click of the attachment, Outlook displays a preview. Since it’s not a full window, users often click on a link to explore deeper.

With curiosity spiked by the transcript and preview, the user is then directed to a page that looks like a Microsoft account login page, and is prompted to authenticate with their user id and password to hear the message. Often, the initial login is designed to fail on the first try. The user, now chasing escalating curiosity then re-enters their credentials and typically gains access to an innocuous message that seems all but irrelevant.

The message of course is designed to be useless, but to raise little suspicions about the fake login that just happened. With the successful ruse tucked away in their consciousness, workers then move on all the while unaware they’ve just given log in credentials to a cybercriminal. Their email account has been compromised along with any files or business systems that use the same credentials. The threat actor is then free to monitor communications, peruse systems and files authorized to the legitimate user and to execute targeted email account-takeover based attacks.

Is this a security breach or a human fail? Well, cyber insurance companies might care, but the impact on the target organization is largely the same.

Organizations convinced of the latter often look to cybersecurity training, which can work maybe 98% of the time in a best-case scenario. This is a bit like training an audience to spot a magician’s trick. Show them the tactic, and they can readily spot it a second time. Show them something new and novel, and the human detection rate falls dramatically.

The problem of course is that like magicians, cybercriminals always come up with new tricks. But in cybercrime, the delight and laughter comes from the threat actor at the victim’s expense.

The Agari Fall ’19 release trains machine learning on this problem. Using our highly innovative identify graph to detect convergence or divergence to known emails and sending behavior, Agari detects these ever-evolving attacks in a way humans and legacy systems cannot because it’s looking for good behavior, not bad signatures.

Like other attacks that target human emotions, the ruse obscures the scam, but the scam gets detected by email forensics. This is why enterprises need a dynamic approach that models identity and behaviors versus a static approach that looks for attacks matching previously detected patterns.

By dynamically modeling messages as they arrive globally on a scale of around 2T messages annually, new messages are evaluated in context of an entire global distribution of human-labelled messages. This enables attacks to be detected and stopped in real time and takes employees out of the direct line of fire of advanced email attacks.

Learn more about this and other new features available in the Fall ‘19 release.

Agari Blog Image

July 7, 2021 Chris Sestito

Catching Lookalike Domains with Image-Based Analysis

Reading is like riding a bicycle:  once you master it, it feels easy and automatic,…

Agari Blog Image

April 29, 2021 Brent Sleeper

Powerful New Agari Phishing Defense Integration Comes to Cortex XSOAR

As we expand our integrations with industry leaders, we’re very excited to highlight a new…

Agari Blog Image

April 28, 2021 Seth Knox

Frost Radar Names Agari as a Leader in Email Security

Three months ago, when I joined Agari as the Chief Marketing Officer, I knew that…

Agari Blog Image

April 14, 2021 Patrick Peterson

Protecting Digital Communications During the Digital Transformation: A Look Back at Trust 2021

While we’re all Zoomed, Webexed and Teamed out after thirteen months of the pandemic, cybercriminals…

Agari Blog Image

April 6, 2021 Brent Sleeper

Agari Azure Sentinel Data Connector Automates Triage for Phishing Attacks Targeting Office 365 Email

Building on a long partnership and tradition of innovation with Microsoft, Agari is excited to…

mobile image