Security
Reader small image

You're reading from  Effective Threat Investigation for SOC Analysts

Product typeBook
Published inAug 2023
PublisherPackt
ISBN-139781837634781
Edition1st Edition
Concepts
Cybersecurity
Right arrow
Author (1)
Mostafa Yahia
Mostafa Yahia
author image
Mostafa Yahia

Mostafa Yahia is a skilled and motivated threat investigator and hunter with a wealth of experience investigating and hunting down various cyber threats. He is a proven leader in building and leading cybersecurity-managed services such as SOC and threat-hunting services. Mostafa holds a bachelor's degree in computer science, which he earned in 2016, and has furthered his education by earning multiple industry-recognized certifications, including GCFA, GCIH, CCNA, and IBM QRadar. In addition to his professional work, Mostafa also shares his knowledge through free courses and lessons on his YouTube channel. Currently, he serves as the senior lead for cyber defence services in an MSSP company, overseeing SOC, TH, DFIR, and CA services.
Read more about Mostafa Yahia

Right arrow

Email threat types

Email threats are every threat your environment faces when deciding to use an email service. They are not limited to phishing emails only; some attackers also use email for blackmailing, information leakage, data exfiltration, and lateral movement. In this section, we will focus on email threats that originate from external sources and discuss in detail four common types of email threats that organizations face:

  • Spearphishing attachments
  • Spearphishing links
  • Blackmail emails
  • Business Email Compromise

Spearphishing attachments

A spearphishing attachment involves adversaries sending phishing emails to target victims with malicious attachments, either to gain initial access to their systems or harvest their credentials. After defining a list of the victims’ email addresses and preparing the weaponized attachment, the attacker become ready to send the email to the victim with one click. However, the question remains, which weaponized attachment will an attacker choose? Let us discuss the most common weaponized attachment types used by threat actors.

Note

Phishing and spearphishing are both types of email attacks that aim to steal sensitive information or compromise a target’s computer system. While both methods have the same ultimate goal, the primary difference between the two is the level of targeting involved. Phishing emails are mass email attacks that are sent to a randomly large number of people. In contrast, spearphishing emails are much more targeted and personalized. They are specifically crafted to target a particular individual or group of individuals, such as employees of a particular company or members of a specific organization.

Phishing attachment types

When you hear the term phishing attachment, you may think about just one or two types of attachments, but due to the different preferred attacker methods, target victims’ infrastructure and business, and attacker goals, there are variants of the malicious attachment types that attackers email to their target victims. The following are the five most common examples of phishing attachment types:

  • Malicious Microsoft Office documents: Attackers often use a weaponized Microsoft document with VBA macros, such as Excel, Word, or PowerPoint documents, and send it to the target victim to trick them into opening it, thereby gaining initial access to their machine. This type of attachment is the most commonly used in spearphishing attacks because almost all enterprises use Microsoft documents in their day-to-day work. Additionally, it is easy for attackers to develop a weaponized Microsoft document. Weaponized Microsoft documents provide unlimited features to attackers, and also, they can exploit known vulnerabilities that affect Office apps.
  • Malicious PDF files: Attackers can also use a decoy PDF file that contains malicious code to exploit PDF reader vulnerabilities and gain initial access to the victim’s system, or harvest their credentials. PDF files are a popular choice for attackers because it allows them to easily embed malicious JavaScript code, and the inclusion of links, images, and fonts can make a file appear legitimate and increase the likelihood that the victim will interact with it. This type of attack is often used in spearphishing campaigns, where the attacker targets a specific individual within an organization with a highly personalized email that contains a malicious PDF attachment.
  • Compressed files (.rar, .7z, zip, etc.): An attacker may send a compressed file containing executable malware to the victim, tricking them into extracting it and executing the executable file.
  • ISO images: Recently, we observed a notable increase in the use of .iso files to deliver malware to target recipients. Attackers depend on ISO image files because they are like disc images; hence, they can be used to bypass file filters and evade antivirus detection.
  • HTML files: An attacker may send an HTML phishing attachment that impersonates familiar login pages, such as the Microsoft login page, the DHL login page, or a bank login page, to harvest the victim’s credentials (see Figure 1.2).
Figure 1.2 – An HTML phishing attachment impersonating a Microsoft login page

Figure 1.2 – An HTML phishing attachment impersonating a Microsoft login page

As you can see, an attacker developed an HTML phishing file impersonating the Microsoft login page to trick the victim into entering their credentials.

Spearphishing Link

A spearphishing link involves adversaries sending spearphishing emails to target victims with a malicious link, to either harvest their credentials or trick them into downloading malware and executing it on their machine, thus gaining initial access to their systems. As with all email threats, after defining a list of the victim’s email addresses and preparing the phishing link, the attacker is ready to send an email to the victim. But what is the attacker’s purpose in sending the spearphishing link to the victims? Let us discuss the two most common types of phishing links used by attackers.

Phishing link types

As we mentioned before, every adversary has different intentions. Some of them just want to harvest a victim’s credentials, while others want to gain an initial foothold in the victim’s system. As with spearphishing attachments, there are variants of malicious link types that attackers use to mail to target victims. The following are two common examples of phishing link types:

  • A phishing link to harvest credentials: One of the forms of a credential harvesting attack is when the attackers send a phishing email armed with links to bogus websites to trick a user into entering their credentials. To host their phishing page, an attacker may use their own domains or abuse legitimate web applications hosting domains, such as appspot.com and web.app domains, as we will see later in the Attacker techniques to evade email security detection section. In 2014, an American multinational financial services company fell victim to a cyberattack. The attack started when attackers sent phishing emails to employees that contained a link to a fake website resembling the company’s VPN login page. The employees were tricked into entering their login credentials, which were then harvested by the attackers. With access to the company’s network, the attackers were able to steal data on more than 76 million households and 7 million small businesses.
  • A phishing link to download malware: An attacker may host the malware on their web server or well-known legitimate cloud file hosting services, such as MEGA, OneDrive, or Dropbox, and then share the file sharing link with their victim over email and try to trick them into downloading and executing the malicious executable. In 2017, a global law firm fell victim to a massive cyberattack that used a phishing email to deliver malware. The attack started when an employee received an email that appeared to be from a client, with a subject line referencing a real estate matter. The email contained a link that the employee clicked on, which then downloaded malware onto the firm’s network. The malware quickly spread throughout the firm’s global network, infecting systems and encrypting files. The attackers demanded a ransom payment in exchange for the decryption key. The attack caused significant disruption to the firm’s operations, and it took several weeks to fully recover.

Blackmail email

A blackmail email, also known as a “sextortion” email, is a term used to describe an email scam where an attacker claims to have compromised the victim’s machine and exfiltrated sensitive data, including sexual content and pictures to the attacker’s server. The attacker then demands payment in bitcoin and threatens to publish the data on the internet if the victim does not comply. In order to convince the victim that they have indeed been compromised, attackers typically employ one of two methods, which we will discuss in the next section. This type of email scam is particularly effective as it preys on people’s fear of having their private information exposed, and the use of cryptocurrency makes it difficult to trace the attacker.

Methods to prove infections

Proving a data breach to the victim may seem simple if the attacker has acquired actual sensitive data, such as sexual content, pictures, or confidential files. However, in many cases, attackers may not have accessed valuable data or compromised the victim’s machine at all and simply attempt to scam the victim. There are two common methods that attackers use to convince victims that a data breach has occurred:

  • Screenshots of the breached data or from the victim’s machine: The blackmailer may compromise the victim’s data by either deploying malware on their machine, such as Infostealer malware, or by purchasing the victim’s data from data leakage stores on the dark web. In both cases, the attacker usually obtains screenshots of the breached data or the victim’s machine desktop and folders to prove the breach to the victim.
  • Spoofing the target victim’s email address: In many cases, the blackmailer is simply a scammer and never had access to either the victim’s machine or data. In such situations, the blackmailer uses the email spoofing technique to trick the victim into thinking that his machine has been compromised by the blackmailer. The email spoofing technique is a technique used in email attacks to trick recipients into thinking that a message came from a mail sender other than the actual sender. In the case of blackmail, the attacker usually spoofs the victim’s email address itself to send the blackmail email to the victim to trick them into thinking that they are compromised, and the attacker used their email address to send him this blackmail email to prove the breach (see Figure 1.3).

The email spoofing technique will be covered in detail in the next chapter, Email Flow and Header Analysis.

Figure 1.3 – A spoofed blackmail email (Malwarebytes)

Figure 1.3 – A spoofed blackmail email (Malwarebytes)

As you see in the preceding screenshot from the Malwarebytes website, the attacker in this scenario used the email spoofing technique to spoof the victim’s email address to send a blackmail message to the victim, claiming that the victim’s data has been compromised and that the attacker possesses sexual content, which they will release to the victim’s contacts if the victim does not transfer 1,000 USD to the attacker’s bitcoin wallet.

Business Email Compromise (BEC)

Business Email Compromise (BEC) is a type of email scam where the attacker targets a specific individual within a company who has access to financial information, such as an executive or a finance employee, and tricks them into making a fraudulent financial transaction or wire transfer. BEC attacks often involve the email thread hijacking technique, which we will discuss in the Social engineering techniques to trick the victim section, or spoofing the email address of a trusted partner or company executive to convince the victim to transfer money or sensitive information to the attacker’s account.

BEC attacks are one of the most trending and result in significant financial losses for organizations, making them a growing concern in the cybersecurity community.

In 2018, the US Department of Justice reported that a Nigerian cybercriminal group called Gold Galleon had used the email thread hijacking technique in BEC attacks against maritime shipping companies. The group would first gain access to an employee’s email account through spearphishing or other means. Once they had access, they would search the employee’s emails for ongoing conversations related to cargo shipments and then use the email thread hijacking technique to intercept and take over the thread. Using this technique, the attackers could impersonate the legitimate email sender and request that payment for the cargo shipment be redirected to a new bank account. Since the email appeared to be part of an ongoing conversation, the victim would often not suspect anything was wrong and would comply with the request, resulting in significant financial losses for the targeted companies.

In one case, the Gold Galleon group was able to steal over $1 million from a shipping company using this technique. The group is believed to have targeted over 100 maritime shipping companies in the United States, Europe, and Asia, with losses totaling tens of millions of dollars.

Now that you are familiar with the most four common email threat types, let us see the attacker techniques to bypass email security solutions deployed in the victim’s environment, as well as the attacker techniques to evade email security detection.

Previous Page
Chapter 3 of 22, Page 4
Next Page
You have been reading a chapter from
Effective Threat Investigation for SOC Analysts
Published in: Aug 2023Publisher: PacktISBN-13: 9781837634781
© 2023 Packt Publishing Limited All Rights Reserved
Register for a free Packt account to unlock a world of extra content!
A free Packt account unlocks extra newsletters, articles, discounted offers, and much more. Start advancing your knowledge today.
Sign up now
undefined
Unlock this book and the full library FREE for 7 days
Get unlimited access to 7000+ expert-authored eBooks and videos courses covering every tech area you can think of
Start free trial
Renews at $15.99/month. Cancel anytime

Author (1)

author image
Mostafa Yahia

Mostafa Yahia is a skilled and motivated threat investigator and hunter with a wealth of experience investigating and hunting down various cyber threats. He is a proven leader in building and leading cybersecurity-managed services such as SOC and threat-hunting services. Mostafa holds a bachelor's degree in computer science, which he earned in 2016, and has furthered his education by earning multiple industry-recognized certifications, including GCFA, GCIH, CCNA, and IBM QRadar. In addition to his professional work, Mostafa also shares his knowledge through free courses and lessons on his YouTube channel. Currently, he serves as the senior lead for cyber defence services in an MSSP company, overseeing SOC, TH, DFIR, and CA services.
Read more about Mostafa Yahia

Personalised recommendations for you

Based on your interests and search pattern

Attacking and Exploiting Modern Web Applications

Attacking and Exploiting Modern Web Applications

Attacking and Exploiting Modern Web Attacks will help you understand how to identify attack surfaces and detect vulnerabilities. This book takes a hands-on approach to implementation and associated methodologies and equips you with the knowledge and skills needed to effectively combat web attacks.

BookAug 2023338 pages
Automotive Cybersecurity Engineering Handbook

Automotive Cybersecurity Engineering Handbook

This Automotive Cybersecurity Engineering Handbook untangles the complexities of building secure automotive products and helps you to comply with cybersecurity standards. It provides practical tools, tips, and techniques coupled with real-world examples to enable you to create cyber-resilient automotive products with ease.

BookOct 2023392 pages
Official Google Cloud Certified Professional Cloud Security Engineer Exam Guide

Official Google Cloud Certified Professional Cloud Security Engineer Exam Guide

This book will help you to design, develop, and operate security controls on Google Cloud as well as discover best practices for relevant security domains, including identity and access management, network, and data.

BookAug 2023496 pages
Cloud Penetration Testing for Red Teamers

Cloud Penetration Testing for Red Teamers

The advent of cloud networks and the AWS, Azure, and GCP platforms has revolutionized how companies of all sizes in all industries do business online. This book will help you meet the emerging demand for pentesting as it guides you through the tools, techniques, and security measures used by pentesters and red teamers in the 2020s and beyond.

BookNov 2023298 pages
ISACA Certified in Risk and Information Systems Control (CRISC®) Exam Guide

ISACA Certified in Risk and Information Systems Control (CRISC®) Exam Guide

ISACA Certified in Risk and Information Systems Control (CRISC®) Certification Guide is an enterprise IT risk management professional’s dream. With its in-depth approach and various self-assessment exercises, this book arms you with knowledge of every single aspect of the certification, and is a fantastic career companion after you’re certified.

BookSep 2023316 pages5
Burp Suite Cookbook

Burp Suite Cookbook

Burp Suite is an immensely powerful and popular tool for web application security testing. This book provides a collection of recipes that address vulnerabilities in web applications and APIs. It offers guidance on how to configure Burp Suite, make the most of its tools, and explore into its extensions.

BookOct 2023450 pages
Building and Automating Penetration Testing Labs in the Cloud

Building and Automating Penetration Testing Labs in the Cloud

This hands-on guide will help you design and build a variety of penetration testing labs that mimic modern cloud environments running on AWS, Azure, and GCP. In addition to these, you will explore a number of practical strategies on how to manage the complexity, cost, and security risks involved when setting up vulnerable cloud lab environments.

BookOct 2023562 pages
Ethical Hacking Workshop

Ethical Hacking Workshop

As cyber-attacks grow and APT groups advance their skillset, you need to be able to protect your enterprise against cyber-attacks. In order to limit your attack surface, you need to ensure that you leverage the same skills and tools that an adversary may use to hack your environment and discover the security gaps. This book will teach you how to think like a hacker, use state-of-the-art hacking tools, and protect yourself and your organizaiton.

BookOct 2023220 pages
Windows Forensics Analyst Field Guide

Windows Forensics Analyst Field Guide

This book contains step-by-step processes to guide you in any investigation related to Windows OS. You’ll find out how to acquire evidence using multiple tools as well as examine and analyze the collected artifacts, while discovering multiple techniques used in real-world forensic incidents.

BookOct 2023318 pages
Implementing DevSecOps Practices

Implementing DevSecOps Practices

This book is a comprehensive, hands-on guide for individuals new to DevSecOps who want to implement DevSecOps practices successfully and efficiently. With its help, you’ll be able to shift security toward the left, enabling you to merge security into coding in no time.

BookDec 2023258 pages