Email Security Gateway (to Your Next Breach)
BY THE COFENSE PHISHING DEFENSE CENTER
Email is the most common attack vector in today’s threat landscape. Not only does email deliver over 92% of malware1, but by the end of 2017 the average user received 16 malicious emails per month.2 Cyber-criminals and APT actors abuse email to deliver malware or steal user credentials and other sensitive data. Because it is ubiquitous, email is an oft-targeted, massive attack surface.
Proofpoint and Mimecast Often Can’t Handle Simple Phishing Attacks
That’s why companies spend thousands to millions of dollars on security technologies, including secure email gateways. Let’s be clear: it is erroneous to claim these technologies prevent all threats. At Cofense™, we deal with hundreds of phish that bypass email gateways and lead to compromised user accounts.
Security solutions like Proofpoint and Mimecast routinely fail to stop phishing attacks while leaving customers with a false sense of security. We see this all the time, including attacks where Proofpoint and Mimecast failed to defang URLs as advertised. These services also routinely fail to stop basic phishing schemes, including some that use hosted services like Drive and Sharepoint; campaigns that use attachments to deliver malware or malicious links; and Business Email Compromise (BEC) attacks.
Below are a few of the many cases where we have seen Proofpoint and Mimecast let simple phishing attacks proceed without a fight.
Phishing Using Trusted Services
Cofense has often found that hyperlinks to traditionally trusted web services can easily make their way through firewalls and email gateways. Unfortunately, due to their low cost and free business models, services such as Google Drive, SharePoint, WeTransfer, and Dropbox are used by malicious actors to host files that contain embedded links to credential phishing sites. Email gateways are unable to access the embedded link and thus cannot check or block the link in question. See figure 1 below for an example of a PDF file with an embedded phishing link that was hosted on Google Drive:
Figure 1 – A common PDF containing a phishing URL
The text “Document.pdf (150.45 kb)” is a hyperlink to a shortened URL, which then redirects the victim to the “Smartsheet” branded phish seen in figure 2 below:
Figure 2 – A “Smartsheet” branded credential phish.
This phishing email made it through Proofpoint which failed to stop the attack due to the attacker’s evasion techniques. Luckily, the employee was well trained and reported the phish immediately.
Social Engineering, Business Email Compromise, & Vish
Some basic social engineering tactics can elicit a victim’s credentials without ever having to send malicious links or attachments to the user, making email gateways useless because there are no URLs to block.
Business Email Compromise is a common type of social engineering that tries to strike up a conversation with an employee in hopes of committing fraud, such as a fraudulent wire transfer or harvesting of company PII, as shown in Figure 3 below.
Figure 3 – A Business Email Compromise attack initiation
Additionally, Cofense frequently observes vishing attacks. In one attack, (Figure 4) the vish impersonate a trusted company requesting a phone call to fix a non-existent issue with the victim’s account. These attacks allow threat actors to gain a victim’s account information over the phone or over email without ever using malicious content that could be blocked by an email gateway.
Figure 4 – A social engineering Vishing attack
Fabricated invoices and receipts, password protected PDFs, and other malicious attachment schemes are all common phishing tactics. Because most automated solutions only screen links in the body of the message, these attached phish regularly waltz their way past email gateways.
Recently, a password protected PDF phishing campaign targeted Cofense customers and completely circumvented Proofpoint protection. This phish included the password to the attached document within the body of the email, urging users to open it upon receipt, seen in Figures 5 and 6 below.
Figure 5 – Content snippet of a phishing email including a document’s password.
After opening the password protected PDF, the user is confronted with a link to a credential phishing site.
Like the previous example, basic word documents with hyperlinks consistently bypass automated security solutions like Proofpoint and Mimecast, as seen in figure 6.
Figure 6 – A .docx file with an embedded phishing link
Companies that rely purely on automated gateway solutions consistently fail to stop phish embedded within attachments.
Weakness in their Strength
These email security gateways perform better when a malicious link is in the body of an email. However, we have observed cases where many of those emails bypass such gateways and reach the targeted victim. Following are some examples where either Mimecast or Proofpoint failed to rewrite the URL completely. Additionally, we will look at a very interesting example where Proofpoint did rewrite the URL completely but failed to block it, allowing the user to engage with the malicious website.
Figure 7 below shows the first example where the email gateway failed to correctly rewrite the URL:
Figure 7 – Banco do Brasil Email
The email above includes a link “INICIAR REGULARIZAÇÃO” that will redirect the user to a malicious website. A closer look at the HTML code of the email body (Figure 8) reveals that the href of the link brings the user to hxxp://50[.]63[.]162[.]13/dkng[.]html, which redirects again to hxxps://atualizacaocliente[./]info/loginseguro/Operador/.
Figure 8 – HTML Code of Banco do Brasil Email
The email gateway failed to rewrite the initial URL hxxp://50[.]63[.]162[.]13/dkng[.]html.
Figure 9 shows another example where the email gateway did not rewrite the URLs in the email:
Figure 9 – Example 2 Email
Investigating the HTML body of the email again reveals that the link in the email directs the user to hxxp://s1[.]sleove[.]com/id (Figure 10).
Figure 10 – Example 2 HTML Body
In both examples above, the email gateway failed to rewrite the URLs and replace them with a safe landing page for potential victims.
The following examples focus on Mimecast and demonstrate that Mimecast failed to rewrite the URL within the body of the emails (Figure 11, Figure 12, Figure 13).
Figure 11 – Mimecast Example 1
Figure 12 – Mimecast Example 2
Figure 13 – Mimecast Example 3
The Phishing Defense Center has analyzed all three emails mentioned above and identified that they are part of a Geodo campaign. Geodo, also known as Emotet, is a banking trojan which steals financial information and often enables other malware to be installed on the victim’s computer. Many of the URLs that Mimecast missed to rewrite are related to Geodo campaigns.
Proofpoint Rewrites but Does Not Block
While spot-checking the 1,095 cases where the gateway did rewrite the URLs, we have identified another issue: the gateway did rewrite the URL, but it did not block the URL, thereby allowing the user to browse to and interact with a malicious page. As clearly shown in Figure 14, the URL is appended with https://urldefense.proofpoint.com, which suggests that this customer uses Proofpoint as the email security solution.
Figure 14 – Proofpoint Email where URL was not blocked
However, a click on the rewritten Proofpoint URL directs the user to hxxps://olook[.]ml, a phishing page that is attempting to steal user credentials, as shown in Figure 15.
Figure 15- Phishing Page after clicking on rewritten Proofpoint URL
These examples show that email gateways often fail to stop phishing threats. While both Proofpoint and Mimecast were successful in rewriting and blocking URLs, there were still many cases where those products did not or would not have prevented a compromise. Simply relying on email gateways to stop malicious emails can leave you with a false sense of security and can result in breaches.
Understanding the weaknesses in Proofpoint, Mimecast, and other automated gateway solutions can be the first step in learning how to better defend yourself. Only a holistic strategy will work against the full spectrum of phishing attacks your company sees.
To learn more about active phishing threats, view the Cofense State of Phishing Defense 2018 report.
All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks.
- Verizon, Data Breach Investigations Report, 2018.
- Symantec, Internet Security Threat Report, 2018.