Request a Demo of Tessian Today.

Automatically stop data breaches and security threats caused by employees on email. Powered by machine learning, Tessian detects anomalies in real-time, integrating seamlessly with your email environment within minutes and starting protection in a day. Provides you with unparalleled visibility into human security risks to remediate threats and ensure compliance.

State of Email Security 2022: Every Company’s Riskiest Channel |  Read the Full Report →

Threat Intel, ATO/BEC
Phishing Campaigns Pick-Up in the Wake of the Ukraine Invasion
by Charles Brook Tuesday, April 5th, 2022
Key Takeaways   We’ve seen an upward trend in the number of suspicious emails being flagged related to Ukraine.  Spam campaigns started to appear only one day after the initial invasion by Russia.   The number of new domains containing “Ukraine” registered in 2022 is up 210% from 2021.   An average of 315 new Ukraine themed domains have been observed per day since the 24th February.  77% of these domains appear to be suspicious based on early indicators.
Overview   The conflict taking place in Ukraine has quickly become a common theme for threat actors and scammers alike. Tessian has observed an upward trend in Ukraine themed emails flagged by our platform, including a number of threat campaigns that are exploiting the conflict as a theme for new scams, malspam, and phishing.   In line with this, open source intelligence shows a significant increase in the number of Ukraine themed domains being registered, which can be used for malicious purposes.   The scams observed typically request donations in the form of crypto-currency under the pretense of supporting the Ukrainian humanitarian effort in the wake of the Russian invasion. The spam is similar to common campaigns previously observed, pushing links to suspicious e-commerce sites selling Ukrainian themed items.
Trend analysis Domain registrations   There has been a significant upward trend in the number of new domains being registered that contain “Ukraine”. The number of these domains being registered is up more than 210% in 2022, compared to 2021.   Researching domain registrations , we can see the upward trend progressing over the past two months. 
Since early March there has been an average of 340 new domains registered each day, either containing “Ukraine” or closely resembling the word.  Our platform observed an upward initial trend in Ukraine themed emails, which peaked early March. This included the spam campaigns and donation scams.
Threat campaign explainer  Donation Scams   Donations from around the world have been made in support of Ukraine in the wake of the Russian invasion. Unfortunately, leveraging humanitarian efforts such as the one currently underway in Ukraine to perpetrate phishing-related fraud has become a common modus operandi for threat actors and fraudsters. This explains why phishing remains among the top reported cybersecurity incidents according to the FBI’s latest Internet Crime Report, with over 323k reported incidents for 2021.   The donation scams vary in sophistication from basic emails containing a short message with a plea for help, to fake websites set up to impersonate certain charitable organizations like the British Red Cross.    One of these scam emails claims to be supporting the humanitarian aid effort in Ukraine and is requesting  Bitcoin cryptocurrency donations. Legitimate website  text and logos from the likes of UNICEF, Actalliance and the Australian Council for International Affairs (ACFID) are being fraudulently leveraged to enhance the authenticity of the phishing emails.   The threat campaign detailed below purporting to be a legitimate humanitarian aid effort for Ukraine from the ACFID, requests Bitcoin donations and allows victims to make the donation via direct Bitcoin address or via a malicious QR code.
Phishing email purporting to be from the ACFID  
Scanning the QR code with the iOS camera app will prompt you to open a locally installed payment app that supports Bitcoin. In this case, Cash App.   According to Blockchain Explorer, the last transaction to take place with the address in this email was on 2022-02-14 with only 6 transactions in total.    Another donation scam was sent from a newly registered domain redcrossukraine[.]org impersonating the Red Cross in Ukraine. The email contained a link to a professional looking website containing details of the Ukraine conflict as well as instructions on how to donate cryptocurrency in aid of Ukraine.
The site was based on a bootstrap template by BootstrapMade which gave it the look and feel of a legitimate website. Towards the bottom were references to addresses for 3 different crypto wallets you could send payments to as a ‘donation’. One for Bitcoin, one for Ethereum, and one for Tether cryptocurrency.
Ukraine themed spam   Spammers have also quickly reacted to the invasion of Ukraine by adjusting the themes of their campaigns.    One notable spam campaign, only a day after the initial invasion, began blasting out spam with links to suspicious e-commerce sites pushing the sale of t-shirts and other items to show support for Ukraine.   The emails sent out in the campaign have subjects like “I Stand With Ukraine Shirts” and contain images of t-shirts with slogans in support of Ukraine. The emails also contain links pointing to sites like mimoprint[.]info or mabil-store[.]com where you can browse and purchase some of the products referenced in the email.   Links resolving to recently created sites like mimoprint[.]info or mabil-store[.]com were sent out in emails with subjects like  “I Stand With Ukraine Shirts”. Searching this site online reveals some reviews claiming that they are a scam and if a purchase is made then no product is received. Other reviews claim they steal designs from users on other sites.    Recommended action  Some charities do and are accepting cryptocurrency donations. But be cautious of any emails purporting to aid or receive donations in an effort to support the humanitarian effort in Ukraine. If cryptocurrency is requested from an unsolicited email then the likelihood is that it is a scam.   Before interacting with any Ukrainian themed email received, check the source and email header to confirm the organization it originated from is legitimate.   If you want to make a donation in support of Ukraine, then the best way is to go directly to your preferred charitable organization. CNET has published a list of reputable charities you can donate in aid of Ukraine. 
Read Blog Post
Email DLP, Integrated Cloud Email Security, ATO/BEC
Buyer’s Guide to Integrated Cloud Email Security
by John Filitz Tuesday, March 29th, 2022
The next generation of email security, referred to by Gartner as Integrated Cloud Email Security (ICES) solutions, bring a fresh approach to solving increasingly sophisticated and elusive email security threats. Here’s what to look for when choosing a ICES. Born in the cloud, for the cloud, ICES solutions are seen as an integral additional layer of email security to complement the native email security capabilities present in cloud productivity suites, such as Microsoft 365 and Google Workspace. At last count, according to the latest Gartner Market Guide for Email Security (2021) there were 13 ICES vendors – giving customers a lot of choice to choose from.  Not every ICES vendor however, offers the same completeness of vision, degree of protection, or intelligent capabilities. This short guide will bring insight on some of the key fundamentals that prospective buyers of an ICES solution should be aware of.
Why is there a need for ICES solutions in the first place? Evidence shows that email remains an important and attractive attack vector for threat actors; according to a recent study, it’s responsible for up to 90% of all breaches.  The fact that the vast majority of breaches are attributed to an email compromise, indicates that the current status quo regarding email security is incapable and insufficient at preventing breaches. This was confirmed in a Forrester survey conducted on behalf of Tessian, with over 75% of organizations reporting on average of 20% of email security incidents getting by their existing security controls. Threat actors are using more sophisticated email-based techniques, and attacks are achieving greater success. This is largely due to the commercialization of cybercrime, with Phishing-as-a-Service and Ransomware-as-a-Service offerings becoming more prevalent on the dark web.  In this new world, threat actors develop exploit kits and offer their services for sale. This has unfortunately led to a dramatic increase in the ability of attackers to find targets. And this explains why the cost of damages from cybercrime is expected to rocket to $10.5 trillion by 2025 – representing a +350% increase from 2015. Digital transformation is another key reason too. Cloud adoption was accelerating prior to the Covid-19 pandemic. In the wake of the pandemic, cloud adoption accelerated even more quickly. This dramatic shift to the cloud has significantly expanded attack surface risk, with employees working from home, and often on personal devices.  This structural shift in computing has also revealed the soft underbelly of legacy cybersecurity solutions built for an on-premise world, including the rule-based and static protection for email offered by Secure Email Gateways (SEGs). And this explains why 58% of cybersecurity leaders are actively looking to displace SEGs for the next generation of email security – with behavioral intelligence and machine learning at the core.
ICES fundamentals  Approach to threat detection and prevention The key differentiator between SEGs and ICES solutions from a threat detection standpoint is that ICES are underpinned by machine learning and utilize a behavioral intelligence approach to threat detection.  The algorithm of an ICES solution develops a historical behavioral map of an organization’s email ecosystem. This historical behavioral map is leveraged along with Natural Language Processing (NLP) and Natural Language Understanding (NLU) capabilities, to dynamically, and in-real-time, scan and detect any anomalous email behavior. Unlike SEGs, this enables these solutions to detect threats as they arise, in real time.  Deployment architecture There are also important differences in the architecture and configuration of ICES solutions from SEGs. ICES solutions do not sit in-line like SEGs, they also do not require MX re-routing, but rather connect either via connect or API and scan email either pre-delivery or post-delivery – detecting and quarantining any malicious email. 
Degree of security automation  ICES solutions also offer a high degree of email security automation, including triaging of security incidents, which significantly reduces alert fatigue and the SOC burden, ultimately improving security effectiveness.
Key differences between SEGs and ICES SEGs ICES Requires MX records changes, sits in-line, acts as a gateway for all email flow Requires no MX record changes and scans incoming email downstream from the MX record, either pre-delivery via a connector, or post-delivery via an API Designed to detect basic phishing attacks, spam, malware and graymail. No zero day protection Designed to detect advanced social engineering attacks including spear phishing, impersonation attacks, business email compromise (BEC), and account takeover (ATO). Advanced zero day protection Static, rule and policy based protection. No intelligent component to threat detection for inbound or outbound, resulting in high false positives and significant triaging of email security incidents  Behavioral and machine learning detection engine for advanced inbound and outbound threats, resulting in greater detection efficacy and lower false positives i.e. less business interruption and more SOC optimization Limited insider threat detection and no lateral attack detection capability. Once the threat has bypassed the gateway the threat actor as unlimited access to the victims’ data and information systems Advanced insider and lateral attack detection capability, stopping threats where and when they arise Basic email field scanning capability. Relies a threat engine of previously identified threats, and static rules and policies All of the email fields are analyzed using machine learning and compared against a historical mapping of email correspondence. Fields scanned include the sender, recipient, subject line, body, URL and attachments Advanced malicious emails go undetected and reach target inboxes. Some of the less sophisticated malicious emails end up in the spam or junk folder – enabling users to accidentally interact with it Advanced malicious emails are detected and automatically hidden from users’ inboxes. With the pre-delivery option, only email that is determined to be safe is delivered. Post-delivery solutions will in nanoseconds claw-back a suspected email determined to be malicious.  No in-the-moment employee security warnings. Security alerts are retroactive and aimed at SecOps, offering no context to employees or the ability to improve the security culture An in-the-moment security notification banner can be added to an incoming or outgoing email indicating the level of risk of the scanned email and the context. These real-time security notifications lead to improved security culture, by empowering employees to take safe action, in real time Basic DLP capability Some ICES like Tessian have advanced DLP capability
Five market differentiators for ICES solutions Not all ICES solutions however, offer the same degree of completeness in product and protection. It is important that prospective customers of ICES solutions understand and interrogate the following key differentiators during the vendor selection process: 1: Completeness of the product offering and product roadmap Does the solution cover inbound and outbound email protection (i.e. does it prevent email data loss events from occurring?) Does it have pre-built integrations with other cybersecurity tools such as SIEMs? 2: Degree of protection offered During the POV it is important to test the efficacy of the algorithm and determine a true baseline of detection, including the % of false positives. Verify the actual results from the POV against the vendors stated claims. 3: Deployment and management overhead Some vendors have unrealistic claims of “protection within seconds” – understanding the actual amount of FTE resources and time needed for deployment is crucial, as well as the product’s ability to scale. Determining the degree of management FTE required for managing the tool on a day-to-day basis is equally important. 4: UX and reporting capability The overall UX including UI for SecOps teams, and feedback from employees after using the product during the POV is essential. Evidence shows that if the UX is poor, the security effectiveness of the tool will be diminished.  Having the ability to on-demand pull or automate risk metric reporting down to the employee level, for inbound and outbound email, is crucial for cybersecurity and risk compliance leaders. 5: Degree of automation Automation is fast becoming a buzzword in cybersecurity. Here buyers need to be aware of the degree of automation that the ICES solution actually delivers, ranging from threat detection to the triaging of threats, as well as risk reporting.
The final word All it takes is one click on malicious content for a breach to take place. When assessing and selecting an ICES solution, it is important that customers consider the above listed criteria as part of their general vendor assessment criteria.   The considerations on the completeness of the product offering and the degree of protection offered should be weighed carefully.  Finally, it’s the human-side that often never gets mentioned in vendor assessments. The experience interacting with the vendor from the first interaction through to the end of the POV should provide key insight into what the future partnership with the vendor will look and feel like.
About Tessian Tessian is one of the few ICES vendors that offers comprehensive protection for inbound threats like advanced spear phishing attacks, as well as outbound protection, preventing malicious and accidental data loss.  Unlike many of our ICES competitors, we don’t treat our customers as test subjects – our algorithm was developed and fine tuned for 4 years before we went live. Due to this level of product maturity, we boast among the lowest percentage of false positives in our industry. We have among the most attractive UI, delivering a phenomenal UX. This includes advanced and automated cyber risk reporting, making security and risk leaders lives’ easier. We never make claims that we can’t back up. We deploy in seconds and protect within hours. Both the deployment and management overhead are extremely efficient due to product maturity and the degree of automation inherent in our product. Finally it’s worthwhile mentioning we take our customers seriously. Here’s what some of them have to about using our product:
Read Blog Post
Integrated Cloud Email Security, ATO/BEC
Nation-States – License to Hack?
by Andrew Webb Thursday, March 10th, 2022
Traditionally, security leaders view of  nation-state attacks has been ‘as long as you’re not someone like BAE systems or a Government, you’re fine’ But in the last three years nation-state attacks doubled in number to over 200… and we’ve yet to see the full cyber impact of the war in Ukraine. Consequently, nation-state attacks are something all security leaders should be aware of and understand. Here’s what you need to know.
How a nation-state attack differs from a regular cyber attack    Nation-state attacks are typically defined as APTs, or advanced persistent threats – a term first defined in 2005. They are referred to as advanced because they have access to exploits and techniques that are more professional, more effective, and more expensive than the average criminal actors.   Nation-state attackers can have teams full of people that can work a 24-hour shift and handoff every 8 hours. There’s also the question of the duration of an attack. APTs play the long-game, and can sometimes take 18 to 24 months before any compromise takes place. The bottom line: nation-state hackers have the resources to wait for the perfect moment to strike.
What are the aims of a nation-state APT attack? With the nearly unlimited money and resources of a nation-state , nation-state attackers can try every technique and tactic available until they eventually accomplish their goal. And those goals are nearly always political rather than purely criminal. APT attacks generally aim to do one of the following:    Exfiltrate data containing military secrets or intellectual property Conduct propaganda or disinformation campaigns Compromised sensitive information for further attacks or identity theft sabotage of critical organizational infrastructures  Russia blurs this line in that they use criminal activity in furtherance of political goals, and have been for years. They also have an APT set whose objective is essentially disruption and discord, so that security teams and government agencies don’t know where to place the defense resources.
Which businesses are most at risk from a nation-state attack?  A sector all threat actor groups are interested in is Cleared Defense Contractors (CDCs). CDCs are businesses granted clearance by the US Department of Defense to access, receive, or store classified information when bidding for a contract or other supporting activities.   One of the first APT attacks against CDCs was Titan Rain in 2003. Suspected Chinese hackers gained access to the computer networks companies such as Lockheed Martin, Sandia National Laboratories, Redstone Arsenal, and NASA, as well as UK Government departments and companies. What’s more, it’s believed that they were inside the network for over three years.  Infrastructure companies are also popular targets. US infrastructure companies such as Colonial Pipeline have been getting hit more and more frequently, and Ukraine suffered a power grid outage in 2015. And banks – especially national banks – are under continual attack, and in light of the recent removal of Russia from the SWIFT payment system, western banks are presumed to be under increased threat in retaliation.
Softer secondary targets   Although traditionally, targets with connections to the military bore the brunt of APTs, there are signs that this is spreading to other industries. In 2021 Microsoft shared detailed information regarding a “state-sponsored threat actor” based in China that targeted a wide range of entities in the U.S. — including law firms. The highly sophisticated cyber-attack used previously unknown exploits to infiltrate Microsoft Exchange Server software, so it’s reasonable to assume that if you have tangential connections to a political target of one of these countries, then you could be at risk.
As KC Busch, Tessian’s Head of Security Engineering & Operations explains “APTs might need to spend a million dollars to compromise their direct target. But if they can find a law firm connected with that target that doesn’t encrypt outbound comms or has adequate email protection, then they’re going to go for the law firm rather than the million-dollar target”   This underscores the importance of not just your own cybersecurity posture, but that of every organization in your network or supply chain. You’re only as strong as your weakest link.. 
The phases of an APT attack   APT attacks come in three phases.    First, there’s network infiltration, typically achieved through compromised credentials. If compromised credentials aren’t an option, or defenses are particularly robust, nation-state attackers might use a zero-day attack. Countries can have teams that will research and write their own zero-days, but more commonly, they will buy them from a gray market of third-party companies that aggregate exploits and sell them without much ethical thought of how they’re used.    This murky world of zero-day exploits and the people that broker them to Governments and security agencies was chronicled by Former New York Times cybersecurity reporter Nicole Perlroth in her recent book, ‘This Is How They Tell Me The World Ends’. Perlorth’s book highlights how for decades, US government agents paid thousands, and later millions of dollars to hackers willing to sell zero-days, and how they lost control of the market. The result is that zero-days are in the hands of hostile nations, who have money to purchase them and a need to deploy them as they’re becoming rarer and more expensive.    The second phase is the expansion of the attack to spread to all parts of the network or system. As we’ve mentioned, APT attacks are not hit-and-run. With time on their side, hackers can wait patiently in the network before gaining full access and control of it.   Thirdly, there’s the attack itself. This could involve collecting data and exfiltrating it, or disrupting critical infrastructure systems. Furthermore, several APT attacks have started with a distributed denial-of-service (DDoS) attack which acts as a smokescreen as data that’s been amassed over what could be months or years is exfiltrated. 
Notable nation-state attacks The most sophisticated: Stuxnet is widely believed to have been developed by the USA and Israel for use against Iran’s uranium enrichment program. It disrupted the plant’s uranium centrifuges by varying their spin rate, but not enough to cause them to shut down. Furthermore, false data was displayed back to the controller, so employees thought everything was business as usual.. Designed to be delivered by an infected USB stick, it could cross the air gap that protected the plant. However, it got out into the wild when an engineer took his infected laptop home from the plant, and connected it to the internet.   The biggest: 2015’s Anthem breach (China was reported to be behind it) saw the sensitive personal data of approximately 78.8 million Americans fall into the wrong hands. Brian Benczkowski, the assistant attorney general in charge of the Department of Justice Criminal Division, called the Anthem hack “one of the worst data breaches in history.”    The data wasn’t ransomed back to the company, and the reasons for the attack remain unclear. By 2019 the DOJ unsealed an indictment charging two Chinese nationals for the attack, but an indication of the alleged hackers’ motives or affiliation was noticeably absent. Current thinking is that it will be used for identity theft or to identify interesting individuals or Government employees for further exploitation and attack. Only nation-states have the resources to process that much intel and find the 100 or so people whose credentials can be further targeted. As for Anthem, the breach cost them over $40 millionto settle the resulting claims, and clear up the mess. 
What’s the future of nation-state attacks?    The Anthem breach and others led to a very loose set of guidelines on what is, and what is not, acceptable. This was hammered out between former President Obama and President Xi Jinpingof China in 2015, but none of this has the force of law like the Geneva Convention. And with an actor like Russia currently in a highly aggressive position, it’s reasonable to expect an escalation until desired political goals are achieved.  Attack types are likely to evolve, too. One example: wipers.. Unlike ransomware, where you pay the money and (hopefully) get your data back, a wiper will display the message as it’s erasing all your data. They’re a class of malware that have a narrowly targeted use, but if someone decided to let those loose, the damage could be astronomical. And worryingly, they’ve already been spotted in Ukraine.
How to protect your organization from nation-state attacks The federal Cybersecurity & Infrastructure Security Agency (CISA) posted a bulletin, titled “Shields Up,” which includes an evolving overview of the current cyber threat environment and specific steps that organizations, corporate leaders, and CEOs can take to bolster their cyber defenses. We have more on those recommendations, as well as how to foster a risk-aware culture, in this blog post. Enacting these defenses and upskilling your team is the best way to protect your organization from Nation-state attacks.   For the latest cybersecurity news and articles, sign up for our newsletter, and follow us on Twitter and LinkedIn
Read Blog Post
Threat Intel, ATO/BEC
Analysis of a Microsoft Credential Phishing Attack
by Charles Brook Friday, February 25th, 2022
Credential harvesting via phishing remains a significant threat to organizations. In early February 2022, we detected a credential harvesting campaign leveraging a fake Microsoft Outlook login page. Although Secure Email Gateways (SEGS) have URL rewriting protection capability, these types of phishing efforts typically go undetected through the usage of obfuscation techniques such as using superscript tags hiding the malicious code.
Summary of the attack   An email impersonating Microsoft was sent using Amazon Simple Email Service targeting multiple individuals at a specific organization. The email informed recipients their password was due to expire and they needed to follow a link to reset it.   The link in the email followed multiple redirects before landing on a credential phishing site impersonating the Microsoft Outlook login page. Analysis of this attack reveals it to be related to known phishing as a service (PhaaS) site where anyone can purchase tools and services for phishing.   Email Content   Below is a screenshot of the malicious email with a malicious link to reset the password. Note the usage of language (albeit with typos) expressing urgency around changing the end user’s password.
The threat actor sent the target recipients a request to change their Microsoft password that included a malicious link that would redirect to a credential harvesting website. Tailored to specific targets, the emails also appeared to be sent from an AWS Apps server using the Amazon Simple Email Service and passed security checks including SPF, DKIM and DMARC, meaning it is unlikely to be flagged as malicious.    Given the email appears to have been sent via Amazon SES, there is a chance the attacker may have compromised an AWS account. Alternatively they could have registered an account for the sole purpose of sending these emails and passing security checks since Amazon will be seen as a reputable sender.
Email body   When viewed from a mailreader these emails are fairly easy for the trained eye to spot. The main indicators being the grammatical errors that are common amongst phishing emails, as well as the suspicious link clickable from the button.   But underneath the message displayed was further evidence of the attacker going to great lengths through common phishing obfuscation techniques to make these emails difficult to detect.   The email body was base64 encoded which is not that uncommon for emails but still a technique attackers use to obfuscate the content of an email. Decoding this revealed the HTML used to construct the email. When focusing on the email body we find the attacker has added a series of HTML elements distributed randomly between the letters in the message.
Specifically the attacker has used superscript HTML tags to obfuscate the email body against common email security tools like SEGs.   <sup style=”display: none;”>YYCZPYYCZP</sup>   The attacker has added “display: none;” styling to each tag meaning the content of the element won’t appear in the displayed email. This means the recipient will only see the intended message displayed to them in a mail reader while making it difficult for legacy email security tools to pick up on any of the keywords that would indicate this as a phishing email.
By removing the superscript tags from the code we can more clearly see the message left behind that was displayed to the recipient.   Phishing URL   The email contained a phishing URL with the recipient address auto-populated at the end. The URL was added to a button labeled “Keep My Password”. Phishing link embedded in HTML email body        
The phishing link also contained a second URL nested in the query component of the first. The attacker is abusing an open redirect function in a well-known affiliate marketing network called Awin to redirect victims to the malicious site.   Phishing link from email:  hxxps://awin1.com/awclick.php?mid=2584&amp;id=201309&amp;p=hxxps%3a%2f%2fpcbmwc[.]org/fr#<recipient>@<domain>[.]com Which redirects to: hxxps://pcbmwc[.]org/fr#<recipient>@<domain>[.]com   The redirects are incorporated to bypass initial URL security checks common in legacy email security tools. Most security tools scanning URLs are likely to focus on the domain from the initial URL ‘awin1[.]com’ and recognise it as safe.   The domain in the nested URL ‘pcbmwc[.]org’ appears to belong to a buddhist monastery based in Patiya, Bangladesh. The site appears to be fairly basic and low budget, it is likely the attacker compromised this site and is using it to host part of their malicious infrastructure – an increasingly common tactic for phishing attacks.   The initial URL leads you to an apparently blank page. The source code reveals there is a script checking to make sure there is still an email address present at the end of the URL after the ‘#’. This is intended to be the target’s email address.  
If there isn’t an email address appended to the end of the URL then nothing will happen and you will stay on the blank page. If there is an email address included at the end, then the script redirects the target to the final landing page for the phishing site with that email address still included in the URL.   Link to the final phishing site:   hxxps://fra1.digitaloceanspaces[.]com/loskmwaksilopa/%23%25%5EE%26UY%23%26W%26%28%40.html#<recipient>@<domain>[.]com
Phishing Site Clicking the link from the original email will lead to the page below with the target’s email captured in the URL. The site is designed to resemble the Microsoft Outlook login page where you are prompted to enter your password. Looking at the source code for this site, it appears to be based on a previously seen template also used for Microsoft credential harvesting but with a few alterations.
To look as legitimate as possible, the site borrows graphics and styling directly from Microsoft owned CDNs. Entering a password into the box provided and clicking ‘Sign in’ would result in the email address from the URL and the password being captured and submitted through an AJAX post request to a php file hosted on a separate server.   PHP file:   hxxps://moliere[.]ma/aX3.php   The domain in the link to the PHP script appears to belong to a consulting firm based in Casablanca. If legitimate, then it too has likely been compromised by the attacker to host malicious infrastructure.   This script will most likely be what the attacker uses to harvest the credentials. It will either send the credentials to the attacker directly or store them in a location accessible by the attacker.    The source code of the site includes some jQuery scripts to perform a number of actions with the aim of making the site look and feel legitimate. This includes sections to provide feedback to the victim such as error messages and progress bars. One section checks to make sure the password entered isn’t blank and is more than one character long. Another section displays a fake progress bar after clicking sign in to give the illusion of a genuine login taking place.    If the credentials are submitted successfully then the victim is redirected to a genuine Microsoft login page and presented with the login screen again. The victim will assume that they entered their credentials incorrectly the first time and just carry on.   Another observation from the source code is that whoever wrote or borrowed the code has replaced most of the variable names and tag IDs with strings of seemingly random characters.    At closer inspection these random strings appear to be composed of various keyboard walk patterns. A keyboard walk is when you type a series of characters in the order they appear on the keyboard, for example ‘qwerty’ or ‘asdfg’. Often done by dragging a finger across the keyboard.   This has been done deliberately to make the code more difficult to read and follow without clearly labeled variables.
Phishing as a Service (PhaaS) The primary features and indicators from this phishing attack point to it being related to the BulletProofLink (aka BulletProftLink) phishing as a service site, which was detected and analyzed by Microsoft in late 2021.   This site offers phishing kits for sale to anyone and also offers infrastructure to host and run  malicious campaigns from. Phish kits or services will typically be available for sale for around $200.
Although there were some differences for the specific campaign analyzed here, the attack chain observed is virtually identical to that mapped out by Microsoft.  
This credential harvesting attempt is a good example of what is becoming a particularly common modus operandi to compromise an organization’s credentials and information system. The unfortunate reality is that such attempts have a high success rate of bypassing legacy and native email security controls. Threat actors are able to achieve this success through the use of obfuscation techniques that are tried and tested repeatedly against static, rule-based email security controls, until the desired outcome is achieved.   
With continuously advancing sophistication of phishing attacks, it becomes a matter of when, and not if, an organization’s legacy email security controls will be circumvented.  Behavioral cybersecurity solutions like Tessian are increasingly seen as a gamechanger and a necessity to ward off advanced social engineering-based attacks. Tessian detects and prevents phishing attacks as the one discussed on a daily basis for our clients. It does this by scanning not only the URL links, but all of the fields contained in an email and contrasts this against a historical mapping of the email ecosystem to determine using machine learning, whether the email is malicious or safe. End-users then receive in-the-moment security warnings prompting them towards safer action.
Appendix: Indicators Email Body (decoded) <sup style=”display: none;”>YYCZPYYCZP</sup>   URLs hxxps://awin1.com/awclick.php?mid=2584&amp;id=201309&amp;p=hxxps%3a%2f%2fpcbmwc[.]org/fr# hxxps://pcbmwc[.]org/fr# hxxps://fra1.digitaloceanspaces[.]com/loskmwaksilopa/%23%25%5EE%26UY%23%26W%26%28%40.html# hxxps://moliere[.]ma/aX3.php   Appendix: MITRE ATT&CK Framework The tactics and techniques used by the threat actor can be inferred based on analysis of the email and the phishing site that was active at the time of receipt.   TA0043: Reconnaissance  T1589: Gather Victim Identity Information T1589.002: Email Addresses T15905: Active Scanning   The attacker will have gathered email addresses to target either from data breaches dumped on the Internet or by scanning the target organizations’ public facing website for addresses, which will have most likely been found on their people page.   TA0042: Resource Development T1584: Compromise infrastructure T1584.004: Server T1588: Obtain Capabilities T1608: Stage Capabilities T1608.005: Link Target   The attacker will either have developed or obtained the scripts and pages used to construct their malicious email through a phishing as a service site. It also appears they may have compromised vulnerable web-servers to host some of their malicious infrastructure used for harvesting credentials including the redirection page, the malicious login page and the PHP script to collect the credentials. This could also have been provided as part of a PhaaS package.   TA0001: Initial Access T1566: Phishing T1566.002: Spear Phishing Link   The attacker sent emails impersonating Microsoft containing a phishing link aimed at harvesting credentials. These emails were sent from an AWS Apps server via Amazon SES. Meaning the attacker may have compromised an existing AWS account or set one up for this campaign.   TA0005: Defense Evasion   A number of techniques were employed to evade detection. The first is the use of Amazon SES to make emails appear reputable and pass security checks. The attacker also obfuscated the message in the email by placing hidden HTML elements at random intervals, making it difficult for security tools to pick up on keywords.   An open redirect was also used in the phishing URL to send the recipient to the malicious site via a trusted one first. Security tools and the recipient will often see the domain for the trusted site and assume the URL is safe.
Read Blog Post
Integrated Cloud Email Security, ATO/BEC
Playing Russian Roulette with Email Security: Why URL Link Rewriting Isn’t Effective
by John Filitz Friday, February 18th, 2022
Malicious URL link-based attacks are tried and tested methods for threat actors to compromise information systems. Although legacy Secure Email Gateway (SEG) vendors offer URL link rewriting protection – also referred to as time-of-click protection – there are significant limitations in the degree of protection provided by this security control.    Unlike behavioral cybersecurity solutions like Tessian that dynamically and in real time scan all of the content in an email, including URL links and attachments, SEGs rely on a manual, rule-based threat detection approach. But with this approach, your protection is only as effective as the rules and policies you have created, combined with the relevancy of your threat detection engine.    The static approach to malicious URL link detection by SEGs explains why zero day threats often get through defenses. And the lack of machine learning scanning capability also explains why threat actors are able to successfully hide malicious URLs either as attachments or even in plain text.  For example, APT 39 successfully leveraged malicious URL links that  were hidden or attached in phishing emails to carry out an elaborate espionage and data gathering campaign, across multiple jurisdictions. Similar attacks are usually but not exclusively motivated by credential harvesting for Account Takeover (ATO) purposes.
How URL link rewriting protection works   SEGs that offer URL link rewriting typically scan and rewrite URLs that are contained in any inbound email via its own network. This means all links contained in any email received through the gateway are rewritten via the email security vendor’s system.     URL link rewriting detects malicious URL links at the time of a user clicking on the link by analyzing the link against key criteria specified in the security rules and policies, as well as against its threat repository of known malicious URLs.    When it comes to the security rules and policies, SEGs require the security admin to set the degree to which URL categories are scanned and also allows select email groups in an organization to be included or excluded. The scanning intensity settings typically range from relaxed, moderate to aggressive.    If a URL link is determined to be malicious based on rules and policies, as well as the reputation of the link, the end-user will be notified and warned against accessing the malicious URL.
Five shortcomings of URL link rewriting protection    1. URL link rewriting is an overly manual security control prone to human error   URL link rewriting or time-of-click protection requires a significant degree of manual security rule and policy orchestration. Due to the post-delivery approach of allowing malicious URLs to be delivered and only scanning URLs upon being clicked, without well-configured URL detection rules and policies, the security effectiveness of this static control is significantly compromised.The static nature of URL policy and rule orchestration also opens up the probability of human error introducing security risk, by either failing to set the appropriate degree of URL scanning intensity, or failing to include appropriate user groups.     2. URL link rewriting is ineffective at protecting against zero day attacks   URL link rewriting offers protection against known threats only. It offers limited protection against zero day attacks. For example, registering new domains or hijacking existing “trusted” domains are popular methods of evasion by threat actors. Once the threat actor has evaded security controls aka passed through the gateway, they have unfettered access to end-users who are under the impression that the email and included URL link has been scanned and is safe. Usually only after a successful compromise is the malicious URL threat detection engine updated.     3. URL link rewriting lacks the intelligence to detect advanced phishing subterfuge    Threat actors find sophisticated ways to obfuscate malicious URLs. They typically do not include malicious URLs in the email but often hide them in “safe” URL redirects or in attachments that are not commonly used, or are outside of the security policy ambit. Upon opening the file or clicking on the URL link, victims are taken to what appears to be a legitimate website, which redirects to a malicious website appearing as a trusted services provider.       4. Protection starts and stops at the gateway   URL link rewriting can be deployed from within the organization via a lateral phishing attack. Malicious URLs can be deployed from trusted sources within the organization and thereby misses the gateway protection.      5. If all you have is a hammer, everything looks like a nail   URL link rewriting offers no protection against cross-site scripting (XSS) attacks. In this type of attack, threat actors will send a benign looking URL link to a victim, usually from a legitimate but recently compromised website. Here the threat actor is able to capture credentials from the victim, for example on a log-in page of the compromised website. Legacy email security solutions would have determined that the link is “safe” even if the email was received from an unknown or suspicious party.
The need for intelligent email security    Email-based attacks remain the overwhelming favorite vector for attack. The forever evolving and advancing nature of email based threats has placed the effectiveness of legacy email security controls into sharp focus.    With its static orchestration and binary threat detection approach, URL link rewriting is the embodiment of legacy approaches to addressing email security risk. Simply stated, this security control is no longer fit for purpose in a dynamic threatscape, where threat actors are continuously honing their capabilities at circumventing rule-based security controls.  Only by leveraging email security solutions that have machine learning and contextually aware scanning capability, can you significantly improve your email security posture. See why CISOs at some of the leading organizations around the world are selecting Tessian as the advanced email security provider of choice. Book a demo now.
Read Blog Post
Threat Intel, ATO/BEC
Spear Phishing Attack Impersonating C-Suite Targets Junior Employees at Law Firm
by Charles Brook Thursday, February 10th, 2022
In late January 2022 a specialist law firm was the target of a spear phishing campaign flagged by Tessian Defender where the threat actor attempted to impersonate the Chairman of the firm. Leveraging common social engineering tactics, the threat actor then targeted the firm’s junior employees. This is known as CEO Fraud.
Impersonation attacks are becoming a mainstay for threat actors. Based on our investigation  into the 2021 spear phishing landscape, we determined that 60% of the malicious emails seen in Tessian’s network relied on generic impersonation techniques, including freemail impersonation and Display Name Impersonation. An additional 30% relied on more advanced impersonation techniques, including direct impersonation like domain spoofing, direct spoofing and account takeover (ATO).
The Attack   The attacker leveraged the name of the chairman and used a freemail domain. Display name and domain name impersonation spoofs accounted for 4.9% of all malicious email detected and prevented by Tessian in 2021.
Email Content: Sender Address: <Name of Chairman>.<Website Domain>@gmail[.]com Display Name <Name of Chairman> Subject:  <Name of Chairman> Body: Asking if recipients have time available Expressing a sense of urgency Links & Attachments None   The threat actor registered an email address using Gmail and chose a username that contained the name of the law firm’s chairman, together with the domain used for it’s website. They also changed the display name associated with the account to match the name of the chairman as it appeared on the firm’s website.   After that, the attacker drafted an email with a generic message containing a call to action, asking the recipient “are you available?”. It was sent to +200 individuals at the firm.   The email did not contain links or attachments when it was sent, just the message added by the threat actor. This indicates intent to engage in social engineering via correspondence with recipients.
This style of phishing usually leads to the threat actor trying to convince the recipient to send money or share information that could be leveraged for a more advanced phishing attack. This low-cost-of-effort phishing attempt explains why social engineering now accounts for 70-90% of all successful breaches.   In other cases it can involve sending a few messages back and forth to establish a baseline of trust, before sending a malicious attachment or URL in subsequent emails. Having established trust, the recipient is more likely to click without feeling much concern or suspicion. This also explains why advanced social engineering threats bypass detection by legacy Secure Email Gateways (SEGs), either due to the sophisticated degree of subterfuge in name and domain name spoofing, or because the malicious payload is not present in the initial email.
The Approach   The majority of phishing attacks using this approach will typically come from addresses registered by a threat actor, for example, looking something like “partner1234@gmail[.]com” or “manager5678@hotmail[.]com”.    Attackers use freemail accounts because of their utility in carrying out attacks and zero cost. Freemail accounts that deliver malicious payloads via a proxy server are also notoriously difficult to trace for attribution. Accounts like this will continue to be used to target multiple organizations.   In the case of this attack the address was created as “<Name of Chairman>.<Website Domain>@gmail[.]com”, this indicates deliberate intent to target this firm specifically.    The fact that the threat actor sent the email to +200 junior members of the firm indicates a higher level of planning and reconnaissance than most of these types of attacks typically have.    Our research confirms that law firms are targeted 31% of the time for impersonation style phishing attacks.  And firms tend to post details of most employees on their websites including names, email addresses and positions held. Many are also active on networking platforms like LinkedIn. This makes reconnaissance very easy for threat actors.
In the case of this impersonation campaign, the threat actor will have found the firm’s people page, searched for a senior individual to impersonate, then filtered down to the more junior individuals to target.    The C-Suite was impersonated in this attack to amplify the call to action in the messaging and to increase the sense of urgency felt by the targets. Likewise, junior employees were targeted in this attack because they were possibly seen as being more likely to comply with instructions received from senior management.    Another hypothesis could be that the threat actor was seeking to gain more information to wage a secondary spear phishing attack, targeting more strategic positions in the firm such as the finance department.
Real-time, comprehensive email protection Tessian was able to detect the phishing techniques deployed by the threat actor for this campaign. Tessian recognized the law firm’s domain in the local part of the email address and the name of the chairman in the display name. It also detected suspicious keywords indicative of an urgent call to action, which included “are you available?” and “quick”.    Tessian also detected that the address used by the attacker had not been observed in historical emails sent to anyone at the law firm.   Many of the recipients at the law firm responded to the in-the-moment security warning message from Tessian and confirmed that the email was actually malicious.   All it takes is one click.    This example underscores the relentless pursuit of threat actors, attempting to gain access to an organization’s crown jewels. As attacks become more advanced, it requires a defense-in-depth approach to email security. Leveraging email security solutions that have behavioral detection and in-the-moment security awareness training capabilities is now table stakes to securing your email ecosystem.
Appendix: MITRE ATT&CK Framework The tactics and techniques used by the threat actor can be inferred up to the point the email was received.   TA0043: Reconnaissance – https://attack.mitre.org/tactics/TA0043/ Gather Victim Org Information – https://attack.mitre.org/techniques/T1591/ Identify Roles – https://attack.mitre.org/techniques/T1591/004/   T1589: Gather VIctim Identity Information – https://attack.mitre.org/techniques/T1589 T1589.002: Email Addresses – https://attack.mitre.org/techniques/T1589/002 T1589.003: Employee Names – https://attack.mitre.org/techniques/T1589/003   The threat actor carried out reconnaissance activities against the target’s website. Here they identified the key individuals to impersonate and target. Using the people directory available on the website they were able to identify the chairman of the law firm to impersonate via email and get a list of names and email addresses for associates at the firm to target.    TA0042: Resource Development – https://attack.mitre.org/tactics/TA0042 T1585: Establish Accounts – https://attack.mitre.org/techniques/T1585/ T1585.002: Email Accounts – https://attack.mitre.org/techniques/T1585/002/   After identifying a high ranking member of the firm, the threat actor registered an email account with Gmail. They created an account with a username containing the name of the chairman of the firm as well as the domain used for the firm’s website. They also changed the display name associated with the account to that of the chairman.   TA0001: Initial Access – https://attack.mitre.org/tactics/TA0001 T1566: Phishing – https://attack.mitre.org/techniques/T1566/   With a free email address registered, a senior staff member to impersonate and a list of victims to target, the threat actor sent an email to more than 200 associates at the firm. The email contained a message explaining they were the chairman of the firm and wanted to know if they were available to help them quickly.    TA0005: Defense Evasion – https://attack.mitre.org/tactics/TA0005/   The threat actor avoided detection through conventional means by registering a new email address and not including a malicious link or attachment in their initial email. SEGs typically rely on known IOCs to be able to detect malicious activity. Since there was no attachment or URL in this case, there was nothing to scan or lookup the reputation for.   MITRE D3FEND Framework Most of the techniques used by the threat actor were reconnaissance-based and occured at the pre-compromise phase outside of the scope of typical defenses and controls meaning they could not be easily mitigated without advanced email protection.   Detect – https://d3fend.mitre.org/tactic/d3f:Detect D3-SRA: Sender Reputation Analysis – https://d3fend.mitre.org/technique/d3f:SenderReputationAnalysis   Sender reputation analysis can be used to detect unwanted or malicious emails by analyzing information about the sender. This can include information over time such as the number of emails received, number of recipients, number of emails replied to etc.   The problem with this attack is the email address used by the threat actor will likely have been recently registered using a reputable freemail service and would have been unseen to the law firm before. This means there is limited information available to determine the sender reputation. Detection can be done based on the email address having not been seen before; however with legacy email security controls this type of detection can generate high levels of alerts and false positives.  
Read Blog Post
Email DLP, Integrated Cloud Email Security, ATO/BEC
Secure Email Gateways (SEGs) vs. Integrated Cloud Email Security (ICES) Solutions
by John Filitz Wednesday, February 9th, 2022
Recent market developments in email security signal there is a new player in town. And what has been considered a solved-for cybersecurity challenge is receiving renewed attention, both in the enterprise and in the analyst community.    The next generation of email security, referred to by Gartner as Integrated Cloud Email Security (ICES) solutions, bring a welcome and new approach to solving for increasingly sophisticated and elusive email security threats.
Advanced threats require a new approach to addressing email security risk   Threat actors are using more sophisticated techniques, and attacks are achieving greater success. This is largely due to the commercialization of cybercrime, with Phishing-as-a-Service and Ransomware-as-a-Service offerings becoming more prevalent on the dark web.    The pace of digital transformation underway and key shifts in the way we work help explain it, too. In the wake of the pandemic, the accelerated adoption of public cloud has significantly expanded attack surface risk, with employees working from home, and often on personal devices.  Threat actors are exploiting these developments by targeting the most common threat vector for a breach, phishing via email.
Secure Email Gateways (SEGs)   SEGs were, until recently, considered a staple in the cybersecurity stack. But SEGs that run on static, rule-based detection engines are finding it increasingly challenging to protect in today’s threatscape. This is  largely due to SEGs relying on adversaries exploiting common and well-known attack vectors.    SEG solutions sit in-line and filter all inbound emails. SEGs use a threat intelligence engine that is combined with manual policy orchestration, creating “allow” or “deny” lists. In the world of SEGs, security administrators have to configure MX records, develop specific emails security policies, block domains, and triage incidents – with many of these incidents false positives due to its “wide-net” email filtering approach.    Given the threat engine for SEGs also relies on known threats, it can enable threat actors to bypass SEG controls, for example, by registering new domains which are combined with advanced impersonation techniques. That’s why Tessian saw 2 million malicious, inbound emails evade SEGs in a 12-month period.   And once an adversary has compromised an organization’s email (i.e. passed through the gateway) there is little stopping them. SEGs also offer very limited protection against insider threats or advanced methods for email based data exfiltration, for example renaming document file names to bypass manual orchestrated SEG DLP policy labels. 
The key attributes of SEGs include:   Designed to protect against commonly seen threats i.e. mainstream phishing activity, malware and spam The redirection of mail via MX records pointing to the SEG to scan all incoming email  Using a sandbox for detecting, isolating, and detonating suspected malicious emails or attachments Clawback ability for internal email only No ability to detect lateral movement by a threat actor that has breached the gateway Supplemental scanning solutions are often required to detect advanced inbound threats Manual orchestration of basic DLP policies
Integrated Cloud Email Security (ICES) Solutions   The main distinguishing characteristic of ICES solutions like Tessian compared to SEGs, is that ICES solutions were born in the cloud, for the cloud. But, they’re also able to provide protection for hybrid and on-premise environments.    Using machine learning and connecting via connectors or an API, the algorithm of an ICES solution develops a historical behavioral map of an organization’s email ecosystem. This historical behavioral map is leveraged along with Natural Language Processing (NLP) and Natural Language Understanding (NLU) capabilities, to dynamically, and in-real-time, scan and detect any anomalous email behavior on both the inbound and the outbound side.    ICES solutions also offer a high degree of email security automation, including triaging of security incidents, which significantly reduces the SOC burden and ultimately improves security effectiveness.
The key attributes of ICES solutions include:   Designed to detect advanced social engineering attacks including phishing, impersonation attacks, business email compromise (BEC), and account takeover (ATO) Require no MX record changes and scan incoming emails downstream from the MX record, either pre-delivery via a connector, or post-delivery via an API Behavioral detection engine for advanced inbound and outbound threats, resulting in greater detection efficacy and lower false positives i.e. less business interruption and  more SOC optimization A banner can be added to an incoming email indicating the level of risk of the scanned email Lateral attack detection capability Malicious emails are hidden from users’ inboxes. With the pre-delivery option, only email that is determined to be safe is delivered. Post-delivery solutions will claw-back a suspected email determined to be malicious All of the email fields are analyzed and compared against a historical mapping of email correspondence. Fields scanned include the sender, recipient, subject line, body, URL and attachments Prompts the end-user with in-the-moment contextual warnings on suspected malicious emails to take safe action, in real-time Some have advanced DLP capability
The evolution of the threatscape combined with the mainstream adoption of public cloud offerings and associated productivity suites, helps contextualize the emergence of the ICES vendor category.    Many of the productivity suites such as Microsoft 365 and Google Workspace include SEG-like features as part of their standard offerings. And Gartner predicts that by 2023, 40% of enterprises will be leveraging an ICES solution like Tessian with a public cloud’s productivity suite for comprehensive email protection. 
Want to learn more? See how Tessian prevents ransomware attacks, and protects against DLP, watch a product overview video, download our platform architecture whitepaper, or book a demo.
Read Blog Post
Threat Intel, ATO/BEC
Cyber Criminals Leverage Temporary Block on PayPal Account in Phishing Attack
by Charles Brook Friday, February 4th, 2022
This week, Tessian’s threat intelligence researchers detected a relatively sophisticated phishing attempt impersonating PayPal, the global payment services provider. The threat actor sent an email requesting action from the victim, prompting them to click on the login button, leading to a malicious website. The email that was received  
Social engineering-based cyber attacks like this, usually leveraging a form of phishing via email, have become a common phenomenon both at work and in our personal lives. Threat actors are able to perpetrate these attacks through a range of techniques,  leveraging information gathered by random coincidence or through open source intelligence (OSINT) tactics.    In fact 70-90% of all successful breaches are attributed to social engineering, with 96% of all phishing attacks delivered via email. This is why advanced phishing attacks are seen as a growing cybersecurity challenge.
All it takes is one click   Phishing attempts are used for a range of cybercriminal objectives, for example delivering malware including ransomware onto unsuspecting victims’ computers. Often phishing campaigns are also waged for the harvesting of credentials to execute an account takeover (ATO) attack.    They’re difficult to spot, too. Phishing attempts can appear to be very legitimate, even to the trained eye.
The phishing attempt targeted PayPal customers, and used common phishing tactics, including leveraging corporate logos hosted via a third-party service provider, and creating a sense of urgency by stating that “Your PayPal Account Has Been Temporarily Restricted”.    But, when you actually click “Login to PayPal” as instructed, you’re directed to   hxxps://me2[.]do/xZD4rPKB Which redirects to hxxps://docs[.]05fmxoujyghzb[.]club/tmp/index/wildtt.php?97giuywdae   Despite the unusual URL, the landing page looks legitimate, and will prompt users to enter their login details. This information is then captured by cybercriminals in a scheme known as credential harvesting.    Just as every effort was taken to make the webpage look legitimate, every effort was also taken to mimic the authenticity of a legitimate PayPal customer email, including:
Email images  The email source points to linkpicture[.]com domain, a used free image hosting service. The primary reason for using a free service like this? It enables the threat actor to avoid any tie-backs to personal infrastructure, which enables a relatively high degree of anonymity and separation for carrying out the attack.
Quoted printable encoding   The threat actor also used quoted printable encoding inside key email fields and sections of the HTML body of the email – a common tactic for obfuscating spam filters. Web browsers automatically decode this encoded text to readable text displayed to the end user.  Sender
Display Name Decoded When adding the display name the attacker attempted to double encode part of it but this didn’t work which is why the first string does not fully decode. Body – Email Headline
Email Headline Decoded
Enhancing “authenticity”   Impersonating well-known and trusted brands like PayPal is a common modus operandi for phishing attacks. According to Tessian research and the analysis of 2 million malicious emails, Microsoft, Amazon, and Zoom all ranked among the top most impersonated brands. Likewise, the financial services sector tends to be heavily targeted in phishing attacks.    The threat actor also used what appears to be legitimate footer links from PayPal to enhance the appearance of authenticity of the phishing email – another common tactic observed in phishing attempts. The links included however are empty and have no URL  included.
Additional observations of interest, and avenues for further research   The HTML body contains the name of a UK based retailer “Sainsbury’s” indicating the reuse of this template for likely earlier phishing attempts, targeting a different retailer’s customers. The threat actor has, in this instance, forgotten to update the information. There might be utility in purchasing similar phishing templates off the dark web to identify phishing attack trends and indicators.   It also pays dividends for organizations to stay aware of how email security threats are evolving, with threat actors continuously adapting social engineering methods to bypass legacy, rule-based email security controls. Educating employees about threats and how to spot them is important, too. What to do if an email if you think an email is suspicious   Now that we’ve examined this particular example, we need to address what you should do if you suspect you’re being targeted by a phishing attack.   If anything seems unusual, do not follow or click links or download attachments.  If the email appears to be from a government organization or another trusted institution, visit their website via Google or your preferred search engine, find a support number, and ask them to confirm whether the communication is valid. If the email appears to come from someone you know and trust, like a colleague, reach out to the individual directly by phone, Slack, or a separate email thread. Rest assured, it’s better to confirm and proceed confidently than the alternative.  Contact your line manager and/or IT team immediately and report the email.  
Read Blog Post
Engineering Team, Integrated Cloud Email Security, ATO/BEC, Life at Tessian
Why Confidence Matters: How We Improved Defender’s Confidence Scores to Fight Phishing Attacks
Tuesday, January 4th, 2022
‘Why Confidence Matters’ is a weekly three-part series. In this first article, we’ll explore why a reliable confidence score is important for our users. In part two, we’ll explain more about how we measured improvements in our scores using responses from our users. And finally, in part three, we’ll go over the pipeline we used to test different approaches and the resulting impact in production.   Part One: Why Confidence Matters   Across many applications of machine learning (ML), being able to quantify the uncertainty associated with the prediction of a model is almost as important as the prediction itself.    Take, for example, chatbots designed to resolve customer support queries. A bot which provides an answer when it is very uncertain about it, will likely cause confusion and dissatisfied users. In contrast, a bot that can quantify its own uncertainty, admit it doesn’t understand a question, and ask for clarification is much less likely to generate nonsense messages and cause frustration amongst its users.
The importance of quantifying uncertainty   Almost no ML model gets every prediction right every time – there’s always some uncertainty associated with a prediction. For many product features, the cost of errors can be quite high. For example, mis-labelling an important email as phishing and quarantining it could result in a customer missing a crucial invoice, or mislabelling a bank transaction as fraudulent could result in an abandoned purchase for an online merchant.      Hence, ML models that make critical decisions need to predict two key pieces of information: 1. the best answer to provide a user 2. a confidence score to quantify uncertainty about the answer. Quantifying the uncertainty associated with a prediction can help us to decide if, and what actions should be taken.
How does Tessian Defender work?   Every day, Tessian Defender checks millions of emails to prevent phishing and spear phishing attacks. In order to maximise coverage,  Defender is made up of multiple machine learning models, each contributing to the detection of a particular type of email threat (see our other posts on phishing, spear phishing, and account takeover).      Each model identifies phishing emails based on signals relevant to the specific type of attack it targets. Then, beyond this primary binary classification task, Defender also generates two key outputs for any email that is identified as potentially malicious across any of the models:   A confidence score, which is related to the probability that the email flagged is actually a phishing attack. This score is a value between 0 (most likely safe) and 1 (most certainly phishing), which is then broken down into 4 categories of Priority (from Low to Very High). This score is important for various reasons, which we further expand on in the next section. An explanation of why Defender flagged the email. This is an integral part of Tessian’s approach to Human Layer Security: we aim not only to detect phishy emails, but also to educate users in-the-moment so they can continually get better at spotting future phishing emails. In the banner, we aim to concisely explain the type of email attack, as well as why Defender thinks it is suspicious. Users who see these emails can then provide feedback about whether they think the email is indeed malicious or not. Developing explainable AI is a super interesting challenge which probably deserves its own content, so we won’t focus on it in this particular series. Watch this space!   
Why Confidence Scores Matters    Beyond Defender’s capability to warn on suspicious emails, there were several key product features we wanted to unlock for our customers that could only be done with a robust confidence score. These were: Email quarantine Based on the score, Defender first aims to quarantine the highest priority emails to prevent malicious emails from ever reaching their employees’ mailboxes. This not only reduces the risk exposure for the company from an employee still potentially interacting with a malicious email; it also removes burden and responsibility from the user to make a decision, and reduces interruption to their work.   Therefore, for malicious emails that we’re most confident about, quarantining is extremely useful. In order for quarantine to work effectively, we must:   Identify malicious emails with very high precision (i.e. very few false positives). We understand the reliance of our customers on emails to conduct their business, and so we needed to make sure that any important communications must still come through to their inboxes unimpeded. This was very important so that Tessian’s Defender can secure the human layer without security getting in our user’s way. Identify a large enough subset of high confidence emails to quarantine. It would be easy to achieve a very high precision by quarantining very few emails with a very high score (a low recall), but this would greatly limit the impact of quarantine on how many threats we can prevent. In order to be a useful tool, Defender would need to quarantine a sizable volume of malicious emails.   Both these objectives directly depend on the quality of the confidence score. A good score would allow for a large proportion of flags to be quarantined with high precision.
Prioritizing phishy emails In today’s threat landscape, suspicious emails come into inboxes in large volumes, with varying levels of importance. That means it’s critical to provide security admins who review these flagged emails with a meaningful way to order and prioritize the ones that they need to act upon. A good score will provide a useful ranking of these emails, from most to least likely to be malicious, ensuring that an admin’s limited time is focused on mitigating the most likely threats, while having the assurance that Defender continues to warn and educate users on other emails that contain suspicious elements.   The bottom line: Being able to prioritize emails makes Defender a much more intelligent tool that is effective at improving workflows and saving our customers time, by drawing their attention to where it is most needed.  
Removing false positives We want to make sure that all warnings Tessian Defender shows employees are relevant and help prevent real attacks.    False positives occur when Defender warns on a safe email. If this happens too often, warnings could become a distraction, which could have a big impact on productivity for both security admins and email users. Beyond a certain point, a high false positive rate could mean that warnings lose their effectiveness altogether, as users may ignore it completely. Being aware of these risks, we take extra care to minimize the number of false positives flagged by Defender.    Similarly to quarantine, a good confidence score can be used to filter out false positives without impacting the number of malicious emails detected. For example, emails with a confidence score below a given threshold could be removed to avoid showing employees unnecessary warnings.
What’s next?   Overall, you can see there were plenty of important use cases for improving Tessian Defender’s confidence score. The next thing we had to do was to look at how we could measure any improvements to the score. You can find a link to part two in the series below (Co-authored by Gabriel Goulet-Langlois and Cassie Quek)
Read Blog Post
Email DLP, Integrated Cloud Email Security, ATO/BEC
A Year in Review: 2021 Product Updates
by Harry Wetherald Thursday, December 16th, 2021
Looking back at the last 12 months, Tessian’s Human Layer Security platform has scanned nearly 5 billion emails, identified over half a million malicious emails, stopped close to 30,000 account takeover attempts, and prevented over 100,000 data breaches due to a misdirected email…   At the same time, we rolled out a number of important product updates to help keep our customers safe. Here are the most important product updates to Tessian’s Human Layer Security platform from 2021.   We built world’s first Intelligent Data Loss Prevention Engine   We believe that the next generation of Data Loss Prevention is fundamentally about shifting away from entirely rule-based techniques towards a dynamic, behavioral approach. That’s why we built Guardian and Enforcer, to automatically prevent both accidental data loss and sensitive data exfiltration to unauthorized accounts.    But we have also seen that, when combined with dynamic behavioral analysis, custom DLP policies, play an important role in an organization’s data security strategy.   With the launch of Tessian Architect in October 2021, enterprises can now deploy powerful, intelligent DLP policies. Architect is a perfect complement to Tessian Guardian and Enforcer and provides the market’s best-in-class Email DLP platform:   Architect was built together with leading security teams – it’s intuitive, quick-to-learn and comes with a library of prebuilt policies Architect has built-in machine learning capabilities and features a powerful logic engine to address even the most complex DLP use cases Architect is designed to educate users about data security practices in-the-moment and guide people towards better behavior Want to learn more about Tessian Architect? Read more about it here.
We now protect customers from compromised external counterparties   This year, we saw a record number of bad actors compromising email accounts of trusted external senders (suppliers, customers, and other third-parties) to breach a target company. These attacks are canned external Account Takeovers (ATO), and they’re one of the main pathways to Business Email Compromise (BEC).   Because these malicious emails don’t just appear to have come from a trusted vendor or supplier’s legitimate email address, but actually do come from it, external ATOs are incredibly hard to spot, meaning organizations are exceptionally vulnerable to them.    Tessian Defender now automatically detects and stops external Account Takeover attacks.    By using machine learning to understand a sender’s normal email sending patterns (like where they usually send from, what they talk about, what services they use, and more), it can identify suspicious deviations from the norm and detect malicious emails.    When this happens, Defender can either block these attacks, or show educational alerts to end-users, helping them identify and self-triage attacks.   Learn more about External Account Takeover protection here.
We now stop more threats, with better accuracy, with less admin overhead   In-the-moment warnings are one of the features that set Tessian apart from the competition. When Tessian Defender detects a potentially malicious email, it warns users with a pop-up, explaining exactly why the email was flagged.   But, we know that sometimes, it’s better to automatically block phishing emails.   Tessian Defender now automatically blocks attacks, before they reach a user’s mailbox. This gives security teams an  additional layer of email security, preventing end-users from receiving emails that are highly likely to be phishing attacks.    Defender can also adapt the response it takes to remediate a threat. If our machine learning is close to certain an email is malicious, it can quarantine it. Otherwise, it can deliver it to the end-user with an educational warning. This adaptive approach is so powerful because it strikes a balance between disrupting end-users and protecting them.   Finally, this year, Tessian Defender’s detection algorithm made some big strides. In particular, improvements in our risk confidence model allowed us to reduce false positives by significantly providing a better experience to end-users and security teams.
We now stop employees from accidentally sending the wrong attachment   Accidental data loss is the number one security incident reported to the Information Commissioner’s Office, and sending an incorrect attachment is part of that problem. In fact, 1 in 5 external emails contain an attachment, and research shows nearly half (48%) of employees have attached the wrong file to an email.    42% of documents sent in error contained company research and data 39% contained security information like passwords and passcodes 38% contained financial information and client information.  36% of mistakenly attached documents contained employee data   Thanks to an upgrade to Tessian Guardian, organizations can now prevent employees from accidentally sending the wrong attachment in an email.    The upgrade uses historical learning, deep content inspection, natural language processing (NPL), and heuristics to detect counterparty anomalies, name anomalies, context anomalies, and file type anomalies to understand whether an employee is attaching the correct file or not. If a misattached file is detected, the sender is immediately alerted to the error before the email is sent. This is completely automated, requiring no overhead from IT teams.   Best of all, the warnings are helpful, and flag rates are extremely low. This means employees can do their jobs without security getting in the way.   Learn more about misattached file protection here.
We can now quantify and measure human layer risk   Comprehensive visibility into employee risk is one of the biggest challenges security leaders face. With the Tessian Human Layer Risk Hub, our customers can now deeply understand their organization’s security posture, with granular visibility into employee risk, and insights into their risk levels and drivers.   How does it work? Tessian creates risk profiles for each employee, modelled from a range of signals like email usage patterns, indirect risk indicators, and employee security decisions (both historic and in real-time). Because of this unique data modelling, Tessian can gauge employees’ risk level, including whether or not they’re careful, careless, frequently attacked, and more.   This offers organizations protection, training, and risk analytics all in one platform, providing a clear picture of risk and the tools needed to reduce it.   Learn more about the Human Layer Risk Hub here.
We now integrate with KnowBe4, Sumo Logic, Okta, and more… Tessian is even more powerful when integrated with other security solutions that help address the risk posed by employees. That’s why, in the last 12 months, we’ve announced exciting integrations with Okta, Sumo Logic, and KnowBe4, each with their own unique benefits for joint customers. With Sumo Logic + Tessian, security and risk team can understand their risk through out-of-the-box monitoring and analytics capabilities.
With Okta + Tessian, security and risk management teams geet granular visibility into their organization’s riskiest and most at-risk employees and consequently enable them to deploy policies that can help protect particular groups of users from threats like advanced spear phishing and account compromise and prevent accidental data leaks.
And with KnowBe4 + Tessian, security and risk management teams get more visibility into phishing risk than ever before.
Want to help us solve more challenges across use cases? Come build with us.
Read Blog Post
Integrated Cloud Email Security, ATO/BEC
Product Integration News: Tessian + KnowBe4 = Tailored Phishing Training
by Austin Zide Tuesday, December 7th, 2021
Following other recent integrations (Okta, Sumo Logic…) we’re adding KnowBe4 – the world’s largest integrated security awareness training and simulated phishing platform – to the list, giving organizations more  visibility into phishing risk than ever.
What are the benefits of Tessian + KnowBe4? The integration combines KnowBe4’s phishing simulation and training results with powerful insights from Tessian’s Human Layer Risk Hub, to give security and risk management teams a more comprehensive view of their riskiest employees. By identifying the employees who are most likely to fall for phishing attacks, security teams can adjust their security policies to the specific risks posed by individuals or deliver more tailored training in the areas where people are struggling most.    With Tessian + KnowBe4: Training is more relevant Employees are more engaged  Security leaders can easily report on the impact training has on improving the company’s overall security posture   This is a shift away from the traditional approach to security awareness training and is a much-needed solution to the ever-growing problem of phishing attacks. Figures show that 1 in 4 employees has clicked on a phishing email at work, while the FBI revealed that phishing was the most common type of cybercrime last year, with 11x as many phishing reports in 2020 compared to 2016.
Learn more To find out more about the Tessian and KnowBe4 integration, click here.
Read Blog Post
Customer Stories, Email DLP, Integrated Cloud Email Security
16 Ways to Get Buy-In For Cybersecurity Solutions
by Maddie Rosenthal Friday, December 3rd, 2021
As a security or IT leader, researching and vetting security solutions is step one. What’s step two, then? Convincing key stakeholders like the CEO, CFO, and the board that the product needs to be implemented, that it needs to be implemented now, and that it’s worth the cost.   This is easier said than done, but security is business-critical.   So, how do you communicate risk and make a compelling case to (eventually) get buy-in from executives?   We talked to security leaders from some of the world’s most trusted and innovative organizations to find out what they do to get buy-in from CxOs. Here’s a summary of their tips.   You can download this infographic with a quick summary of all of the below tips. This is perfect for sharing with peers or colleagues. Or, download this eBook.   1. Familiarize yourself with overall business objectives   While cybersecurity has historically been a siloed department, today, it’s an absolutely essential function that supports and enables the overall business. Think about the consequences of a data breach beyond lost data. Organizations experience higher rates of customer churn, reputations are damaged, and, with regulatory fines and the cost of investigation and remediation, there can be significant revenue loss.   The key, then, is to attach cybersecurity initiatives to key business objectives. The security leaders we interviewed recommended starting by reviewing annual reports and strategic roadmaps. Then, build your business case.   If customer retention and growth are KPIs for the year, insist that cybersecurity builds customer trust and is a competitive differentiator. If the organization is looking for higher profits, make it clear how much a breach would impact the company’s bottom line. (According to IBM’s latest Cost of a Data Breach, the average cost of a data breach is $4.24 million.)
2. Create specific “what-if” scenarios   A lot of security solutions are bought reactively (after an incident occurs), but security leaders need to take a proactive approach. The problem is, it’s more challenging for CxOs and the board to see the value of a solution when they haven’t yet experienced any consequences without it.    As the saying goes, “If it ain’t broke, don’t fix it”.    That’s why security leaders have to preempt push-back to proactive pitches by outlining what the consequences would be if a solution isn’t implemented so that stakeholders can understand both probability and impact.   For example, if you’re trying to get buy-in for an outbound email security solution, focus on the “what-ifs” associated with sending misdirected emails  which – by the way- are sent 800 times a year in organizations with 1,000 employees. Ask executives to imagine a situation in which their biggest clients’ most sensitive data lands in the wrong inbox.  What would happen?    Make sure you identify clear, probable consequences. That way, the situation seems possible (if not likely) instead of being an exaggerated “worst-case scenario”.    3. Work closely with the security vendor   You know your business. Security vendors know their product. If you combine each of your expertise – and really lean on each other – you’ll have a much better chance of making a compelling case for a particular solution.   Ask the vendor for specific resources (if they don’t exist, ask them to create them!), ask for product training, ask if you can speak with an existing customer. Whatever you need to get buy-in, ask for it. Rest assured, they’ll be happy to help.    4. Collaborate and align with other departments   It takes a village and cybersecurity is a “people problem”.  That means you should reach out to colleagues in different departments for advice and other input. Talk to the folks from Risk and Compliance, Legal, HR, Operations, and Finance early on.    Get their opinion on the product’s value. Find out how it might be able to help them with their goals and initiatives. In doing so, you might even be able to pool money from other budgets. Win-win!
5. Consider how much the executive(s) really know about security   To communicate effectively, you have to speak the same language. And, we don’t just mean English versus French. We mean really getting on the same level as whomever you’re in conversation with.   But, to do that, you have to first know how much your audience actually knows about the topic you’re discussing.   For example, if you look into your CEO’s background and find out that he or she studied computer science, you’ll be able to get away with some technical jargon. But, if their background is limited to business studies, you’ll want to keep it simple. Avoid security-specific acronyms and – whatever you do – don’t bury the point underneath complex explanations of processes.    In short: Don’t succumb to the Curse of Knowledge.
6. Use analogies to put costs into perspective   One of the best ways to avoid the Curse of Knowledge and give abstract ideas a bit more context is to use analogies. It could be the ROI of a product or the potential cost of a breach. Either way, analogies can make big, somewhat meaningless numbers more tangible and impactful.   For example, imagine you’re trying to convince your CFO that the cost of a solution is worth it. But, the 6-digit, one-time cost is a hard sell. What do you do? Break the overall cost down by the product’s lifespan. Then, divide that number by the number of employees it will protect during that same period.   Suddenly, the cost will seem more manageable and worth the investment.   7. Invite key stakeholders to events or webinars   Before you even start pitching a particular solution, warm-up executives with educational webinars or events that aren’t product-specific. This will give CxOs a chance to better understand the problem, how it might apply to them, and how other people/organizations are finding solutions.   Bear in mind: most vendors will have at least 1 (generally 2+) webinars or events during the standard sales cycle.   8. Prepare concise and personalized briefing materials   Individual stakeholders will be more likely to consider a particular solution if the problem it solves is directly relevant to them. How? Combine tips #1, #2, #3, and #5.   After taking some time to understand the business’ overall objectives, take a closer look at individual peoples’ roles and responsibilities in meeting those objectives. Then, dig a bit deeper into how much they know about cybersecurity.   Imagine you’re meeting with a COO with some technical experience whose focus is on maintaining relationships with customers. His or her briefing documents should contain minimal technical jargon and should focus on how a data breach affects customer churn.   The bottom line: make it about them.   9. Share these documents in advance of any formal meetings   While this may seem obvious, the security leaders we spoke to made it clear that this is an essential step in getting buy-in. No one wants to feel caught off guard, unprepared, or rushed.   To avoid all of the above, make sure you share any documents relevant to the solution well in advance of any formal meetings.   But, don’t just dump the documents on their desk or in their inbox. Outline exactly what each document is, why it’s relevant to the meeting, and what the key takeaways are. You want to do whatever you can to help them absorb the information, so make sure you make yourself available after sharing the documents and before the meeting, just in case they have any questions or need additional information.   10. Build a strong security culture   Before we dive into why building a strong security culture can help you get buy-in, we want to make it clear that this isn’t something that can happen overnight. This is a long-term goal that requires the help of the entire organization. Yes, everyone.   So, how do you build a strong security culture? Start by ensuring that security and IT teams are committed to helping – not blaming – employees. There has to be a certain level of mutual trust and respect.   Beyond that, employees have to accept responsibility for the overall security of the organization. They have to understand that their actions – whether it’s clicking on a phishing email or using a weak password – have consequences.   If they do accept this responsibility, and if they genuinely care about following policies and procedures and helping secure data and networks, high-level executives will care, too. They’ll therefore be more likely to sign-off on solutions.   11. Keep an eye on security trends outside of your industry S ome industries – specifically Healthcare, Financial Services, and Legal – are bound to compliance standards that formalize the need for effective security solutions. That means that, compared to other industries like Retail or Manufacturing, they’ll be required to have more robust strategies in place. What they’re doing now, the rest of us will be doing in 12 months.   Keep this in mind.   If you notice that organizations operating in the most highly regulated industries are all taking data loss prevention (DLP) seriously, you’ll be able to make a strong case that this is something that should be on your radar, too.   12. Approach non-executive stakeholders early on   While – yes – getting buy-in from CxOs and the board is important, security leaders also need to get buy-in from non-executive stakeholders working in IT, infrastructure, etc.   After all, those are the people who will actually be responsible for deploying the solution and maintaining it.By approaching them early on (and assuming they’re interested in the solution, too) you’ll be able to paint a clear picture of the process after the solution has been signed off on.   How long will it take? Who’s involved? Will employees’ workflow be disrupted? These are all important questions to answer.   13. Match like-for-like people from both sides   If you’re scheduling a meeting with executives from your side and key people from the vendor’s side, make sure you’re bringing in people that “match” in terms of function and seniority level.   For example, if you work at a start-up and the founder of your company wants to be involved in the buying process, ask the vendor’s founders to join, too. Likewise, if the Head of Infrastructure is joining from your side, ask someone in a similar function to join from the other side. Why? Like-for-like people will be best placed to answer one another’s questions.   And, with that in mind…. 14. Preempt questions and prepare answers   No one likes to be put on the spot. To avoid being asked a question that you don’t know the answer to, spend a good amount of time considering all the questions different stakeholders may ask and drafting well-thought-out answers. (Better yet, fit the answers into briefing documents or the presentation itself!)   Remember, people are generally concerned with how a problem/solution affects them directly. That means the CEO will have different questions than the CFO, who will have different questions than the Head of IT.   15. Get specific customer references from the vendor   We mentioned in tip #3 that you should lean on the vendor, especially when it comes to specific resources and customer references. And, we mentioned in tip #11 that you should match like-for-like people in meetings.   It should make sense, then, that specific customer references will be more powerful than generic ones. For example, if you’re the CISO at a 4,000-person tech firm in North America, and you’re trying to convince you’re CTO that you need to implement a new solution, you should share a case study (or customer reference) from the vendor that outlines how their product has helped an organization in the same industry, that’s the same size, and in the same region. Ideally, it will also feature quotes from the CTO.   Why? Professionals trust and rely on their peers when making difficult decisions. 16. Be conscious (and considerate of) peoples’ time   Decisions about security solutions can involve a lot of different people. That means you’ll have to balance several conflicting schedules and fight for time. Your best bet? Book meetings with all relevant people at once and get the vendor involved at the same time. Ahead of the meeting, share an agenda along with any relevant documents (see tip #8).
Read Blog Post