Our mission is making INBOX.CLEAN™ a reality: stop phishing attacks — the root cause of 95% of breaches — before they reach users. Get the only solution that preemptively stops Business Email Compromise, malware, ransomware and other advanced threats by discovering and eliminating them before they cause damage.
Email Security has certainly come a long way. With cloud messaging now the standard versus the legacy on premise approach (Lotus Notes anyone?) the strategy of securing these clouds has also experienced a revolution.
Area 1’s cloud-native SaaS solution supports three key use cases: preemptive anti-phishing across all threat vectors (email, web, social, network); cloud email security / SEG replacement; and phishing security automation for SOC teams.
Area 1 is a Microsoft Certified Partner and a Google Cloud Security Technology Partner of the Year. We also integrate with a number of SIEM, SOAR, SEG and firewall technology providers to fit your unique infrastructure. Learn More
FIND A CHANNEL PARTNER
Work with trusted cybersecurity experts across the globe to secure your business. Learn about our partnerships with Legato Security, Optiv, SADA Systems, SYNNEX and others. Channel Partners Become A Channel Partner
Dear America’s sports-loving, company-securing fans: Before you find yourself glued this weekend to (what some call) THE biggest gamein college basketball history, we are here to crownthe2022 March Hacknesswinner!
Also known as: the organization most impersonated by attackers in phishing campaigns in 2021.
Despite the shiny crop of newcomers to the Top 64 impersonated organizations (which included Notion.so, Binance, and grocery stores from Costco to Kwik Shop), our March Hackness “Final Four” ended up mirroring the 2022’s NCAA Men’s Final Four: with the blue blood brands, that is.
That’s right, folks: on the heels of passing enduring the second year of the COVID-19 pandemic, the World Health Organization beat out Amazon, Microsoft and T-Mobile to become the back-to-back winner of Area 1’s “ophishal” March Hackness title!
From Jan. 2021 to Jan. 2022, a whopping 15% (over 8.5 million) of the 56 million brand phishing emails blocked by Area 1 impersonated the WHO.
This timeframe (not coincidentally) matches the WHO remaining top of mind for global businesses closely monitoring the rollout of new vaccines and booster shots, as well as the rise of the Delta and Omicron variants.
There’s Always Next Year’s Tournament…
The pandemic also influenced brand phishing in other ways. The “blue blood” of online retail and the cloud — and our March Hackness runner-up — Amazon, was impersonatedin over 3.2 million phishing emails blocked by Area 1.
The focus of Amazon scams vary. However, as Area 1’s principal threat researcher, Juliette Cash, explains, common ones include phishing emails claiming that accounts have been ‘placed on hold,’ payments have been declined or that Prime memberships have ‘expired.’
These types of attacks utilize Amazon branding to impersonate official emails and entice victims to click links to update their credit card information. Once the link is clicked, the user’s browser will upload malicious content and direct them to verify their identity and input their payment details.
While these messages can be sent at any time, we’ve found that they are commonly tied to events, such asAmazon Prime Day, that trigger individuals to take action in fear of missing out.
By the way, although Amazon vs. the WHO isn’t exactly the epic and storied rivalry of Duke vs. UNC, Amazon has been in our list of top 64 most impersonated brands ever since March Hackness’ inception … so, we’ll count this matchup as an important piece of cybersecurity history!
Now, we have no idea what it’s like pretending to be a Blue Devil or Tar Heel (or Jayhawk or Wildcat) for a basketball season, but we do know some things about bad actors’ impersonation tactics.
Identity deception using tactics like spoofing, domain impersonation and display name impersonation showcase the ease at which people can deceive the user through brand phishing to gain access to their goals.
In many cases, it’s as simple as a display name change. However, there are (of course) much more complex phishing techniques that will evade standard defenses.
For example, in this 2021 vaccine phishing campaign (which originally bypassed Microsoft Office 365’s native defenses before it was blocked by Area 1), attackers pretending to be the CDC:
Used Display Name Spoofing to fake the visible FROM header
Inserted an SMTP HELO command to spoof the Envelope From domain
Chose to spoof a domain that did not have email authentication protocols configured and that no longer resolved to an IP address
Compromised a legitimate host with a benign IP, and used it to launch their phishing attack
That’s what you call a playbook.
And speaking of Microsoft, it made our “Final Four” of most-phished brands for the fourth consecutive year.
Attackers not only frequently impersonate individual Microsoft tools, they also oftenuse Microsoft’s own tools and branding to bypass legacy defenses and email authentication. (Just one example: this credential harvesting campaign specifically leveraged Microsoft SharePoint and Microsoft Planner).
So, How Do You Guard Your Inbox?
The bottom line is this: Attackers know how to deliver brand phishing campaigns with techniques that evade native email defenses, email authentication and sender reputation tools (i.e., DMARC, SPF and DKIM).
But – they’re not particularly clever or unique about who they impersonate. As you can see from our March Hackness findings, just 25 organizations were used in the majority (57%) of these phishing emails.
There are three main reasons brand phishing continues to reach many organizations’ inboxes, year after year:
It’s fast for attackers to set up DMARC, SPF and DKIM policies for new phishing domains to reach inboxes.
People trust emails from known organizations, business partners and internal employee accounts – accounts that they won’t identify as compromised unless they have more advanced email security in place.
You can learn more about what the common email authentication standards (SPF, DKIM and DMARC) can and cannot do when it comes to correctly verifying the origins of emails (and who they claim to be from), here.
But what does work better than email authentication for preventing these kinds of phishing attacks? Advanced detection techniques.
For example, Area 1’s preemptive technology uses massive-scale web crawling to reveal emergent campaign infrastructure. Our small pattern analytics also identify phishing attack infrastructure, patterns of attack formation and threats within datasets that help us spot cyber campaigns as they’re being built.
To see which brand phishing emails are landing in your organization’s inbox (whether it’s from one of the March Hackness ‘players,’ or one of the 800-plus other brands hackers spoof), request a free Phishing Risk Assessment here.