This exciting anti-phishing blog encapsulates 2 interesting, sophisticated trends:
In this blog, we will show one way of how attackers leverage SendGrid, a prominent platform that helps send marketing emails, in order to attack companies across the US and EMEA.
We will start with an example. The attack below was intercepted by Perception Point’s service, identifying that the email is actually an attempt to steal credentials.
In this email, the attacker impersonates Microsoft, stating that there is a problem with the user’s Outlook account. Accordingly, the user is required to hit the “Fix now” button to solve the problem. However, once clicked, the button will redirect the user to what appears to be a legitimate Outlook Web App, but is really a malicious phishing website attempting to steal the end-user’s credentials (can be seen in the second screenshot).
By looking at the IOCs of this specific example, we can see that the attacker is using SendGrid to hide the malicious link and to learn more about the targets. We outlined the benefits of this technique in the next section “The Campaign”.
This is not a single attack. We see the use of SendGrid for malicious purposes time and time again. To be exact – since July 1st, 2020, Perception Point’s service prevented 3,420 different attacks that used this mechanism.
By looking at the chart below, one can see that there was an increase in the number of such attacks starting from the 2nd half of August. Based on our experience and analysis of the trend, we would expect to see more attacks like this during September (as we already see in the first week of the month) and even October. This is because when attackers see that a campaign works successfully for them, they will press on it as much as they can. Most email security vendors will need time to develop a solution.
We also looked into the days in which the attacks were sent. Most attacks were launched in the first and the last days of the business week – Monday and Friday. On the other end, it is interesting to see that almost no attacks were launched on Thursdays while on Saturdays, although considered a weekend day, there was also high activity from attackers. This might suggest that the attacker pursues a trial and error process (see details below).
The first benefit of this attack mechanism is the evasion element. While many email security vendors can protect against known phishing attacks, most of them can be easily evaded. By simply leveraging SendGrid, attackers “hijack” SendGrid’s reputation. With this trusted origin, some security vendors will prefer to either not scan the email at all, or use only basic, static mechanisms to check, leading to evasion.
In the example, we see that Microsoft’s email security not only flagged the email clean, but it also added a note that it came from a trusted sender. This shows that this hijacking technique is highly effective and can bypass many solutions on the market.
The second element is highly interesting. Every “above average” attacker would have to undergo a process of trial and error – much like every marketeer trying to reach potential leads. Attackers would design and plan an attack and then send it out to the world. Some of the attacks will succeed and some will not. By using SendGrid, the attacker can collect data and then optimize the attack in two vectors:
In addition to mapping the targeted users, the attacker can try and understand when is the best time to launch the campaign – for example, workdays or weekend days? Morning time or late afternoon? By using data and follow-up analysis, attackers can find the best path for them to achieve their malicious goals.
Perception Point’s service is highly fit to prevent such attacks, due to 3 main capabilities:
We welcome you to check our anti-phishing capabilities and see how we can prevent the next attack on your organization.