Author: Clint Ilagan
A secure email is an email that uses encryption and authentication to protect the privacy and integrity of the shared information. However, threat actors often exploit email systems by using spoofed email security provider brands, such as Proofpoint, Mimecast, and Virtru, and deploying various types of attacks—including embedded links, HTML attachments, and brand impersonation—to trick users into providing their credentials. This rise in sophisticated phishing and malware attacks has led to numerous data breaches, violating the privacy and integrity of sensitive information.
Secure emails play a critical role in mitigating these risks by creating a protected space for sharing sensitive information and reducing the likelihood of unauthorized access or exposure. Encryption protocols and multi-factor authentication further enhance email security by verifying sender and receiver identities, ensuring that content remains inaccessible to unauthorized individuals. Secure email enhances and empowers a safe and secure internet experience, which is the primary goal of email security providers. From here, we will explore how these spoofing tactics compromise trust and how attackers leverage them to exploit unsuspecting users.
Proofpoint
As a popular email security vendor, Proofpoint provides a variety of services to help protect an organization from cyber threats. However, threat actors still find ways to spoof Proofpoint emails with varying degrees of sophistication, with the most convincing ones attempting to accurately spoof subject lines and body text. As seen in Figure 1, the email contains an embedded URL that redirects to a spoofed Proofpoint login screen (seen in Figure 2) which will redirect to a fake Office 365 Outlook Web App (O365 OWA) website after the user enters their credentials.
Figure 1: A sample email with an embedded link to a Proofpoint-spoofing credential phishing page.
Figure 2: A Proofpoint-spoofing credential phishing site redirecting to a fake O365 OWA website.
In the past, phishing attacks were relatively simple and straightforward, often relying on basic tactics to trick users into divulging sensitive information. For example, mass email campaigns, suspicious links, generic messaging, and inconsistent branding using poor quality or mismatched logos and branding made it easier to spot the fraud. However, Figure 3 shows how a threat actor can mimic Proofpoint emails by carefully wording the subject line, body of the email, and attachment name.
Figure 3: Sample of an email where Proofpoint is spoofed in both the subject line and at the bottom of the message body.
As shown in Figure 4, the HTML file, attached to a spoofed Proofpoint secure email, prompts victims to enter their credentials to access the message. Once credentials are entered, they are immediately sent to the attacker’s server, granting unauthorized access to the user’s email or other sensitive accounts. The attacker can then use these credentials to access email accounts, harvest additional information, or execute further phishing attacks within the organization.
Essentially, the branded HTML attachment conceals a malicious link, exploiting the user’s trust in Proofpoint’s brand displayed in the email, to trick them into revealing sensitive credentials. By combining email, HTML mimicry and credential harvesting, the attacker increases the likelihood of success while evading detection.
Figure 4: A credential phishing HTML file that was attached to an email spoofing Proofpoint.
Figure 5 shows another good example where a threat actor mimics Proofpoint's HTML attachments using appropriate images, external redirect buttons, and email disclaimers. However, upon closer inspection, it can be determined that the attachment is not legitimate. The threat actor uses Barracuda- and Proofpoint-branded images and disclaimers to make the attachment seem legitimate. However, Barracuda and Proofpoint are competing cybersecurity vendors, each with unique product lines, technologies, and approaches for email security against threats like phishing, malware, and spam. Therefore, they do not appear together in the same security setup.
Figure 6 shows that after pressing the button that says "Click to read message" victims will be redirected to a CAPTCHA website which redirects to a fake O365 website as shown in Figure 7.
Figure 5: A Proofpoint secure email and Barracuda-spoofing email attachment.
Figure 6: The Proofpoint- and Barracuda-spoofing attachment links to a threat actor-controlled website protected by a CAPTCHA.
Figure 7: Upon completing the CAPTCHA, the victim is presented with a fake O365 credential phishing page.
Figure 8 shows an example of the raw HTML used for the initial phishing attachment. Note how there’s a comment saying “Branding: You’ll probably want to set the title,” indicating that this attachment is intended to be flexible and reusable across multiple different spoofed brands by simply changing a few lines of text.
Figure 8: Contents of the HTML file used in the Proofpoint- and Barracuda-spoofing email attachment.
Mimecast
Mimecast, being one of the oldest and most prominent email security vendors, cannot escape the eyes of threat actors. Threat actors are enticed to use a provider's brand when it is popular and credible. Figure 10 is an example of a real-world email sent by a threat actor posing as someone from Skipton Building Society. Note how well the threat actor mimics Mimecast's secured email with the body of the email and attachment naming convention. However, one of the telltale signs that an email is not legitimate is by using a Gmail account, as Skipton Building Society does not use Gmail when sending secure emails, and threat actors often use free email providers to send out email campaigns.
Figure 9: A Mimecast-spoofing email with an attachment also spoofing Mimecast.
Figure 10: The Mimecast-spoofing HTM attachment.
Virtru
Virtru is a cybersecurity company specializing in data protection through end-to-end encryption and access control, enabling individuals and organizations to secure email content and attachments so only authorized recipients can access them. Threat actors are drawn to mimic Virtru due to its reputation for securing sensitive communications. Impersonating Virtru allows attackers to exploit users' trust in its encryption and security, increasing the chances that recipients will fall for phishing or other scams.
Figure 11 shows an example of a spoofed Virtru encrypted email, where the threat actor closely mimics the email’s body and uses a convincing subject line. The email includes an embedded link to a Google Doc with content identical to the email (see Figure 12). Figure 13 displays the actual credential phishing page, designed to resemble Virtru’s login page to capture the recipient's login credentials. By imitating the Virtru login page, the attacker increases the likelihood that the recipient will enter their credentials, believing they are on a secure, official site.
Figure 11: A sample email with a Virtru-spoofing embedded link.
Figure 12: Embedded link to a Google Doc website that is also linked to a fake Virtru credential phishing page.
Figure 12 shows the embedded Google Doc linked within the spoofed Virtru encrypted email. The document replicates the email’s content to reinforce the deception and guide the recipient to the credential phishing page displayed in Figure13.
Figure 13: Credential phishing page that spoofs Virtru.
Figure 13 illustrates the credential phishing page that uses the Virtru brand logo to replicate its login page. The threat actor uses this page to trick the recipient into entering their login credentials, which are then harvested for malicious use.