Spear Phishing
How to Catch a Phish: a Closer Look at Email Impersonation
20 August 2019
Today, 95% of all cyber attacks launched on businesses start with a spear phishing email. What’s more, spear phishing attacks increased 250% last year as bad actors have discovered more and more ways to outwit email users (busy people) and defenses (legacy technology). The motivations behind attacks are straightforward: deploy malware or defraud the target of money or credentials. The tactics, however, vary greatly and are becoming increasingly more difficult to spot. What is spear phishing? A variety of terms are used to describe inbound email attacks ranging from spoofing, phishing, spear phishing and whaling. While some people use the terms interchangeably, they are, in fact, different. Here’s a breakdown of the terminology: Email spoofing: the creation of email messages with a forged sender address or display name. It is common for spam and phishing emails to use spoofing tactics to mislead a target about the origin of the communication. Phishing: the fraudulent attempt to obtain sensitive information such as usernames, passwords and credit card details by pretending to be a trusted entity. Occurring predominantly via email or text messaging, phishing is typically bulk in nature and not personalized for an individual target. While phishing attacks can be successful, most are often easy for clued-up individuals or email security policies to detect. Spear Phishing: advanced phishing attacks directed at specific individuals or companies. Similar to phishing attacks, these too, are designed to trick people into doing something like sending a wire transfer or clicking on a malicious link. In contrast to bulk phishing, spear phishing attackers often gather and use personal information about their target to increase their probability of success. Because they are more sophisticated in their construction and convincing in execution, spear phishing emails are harder to catch. They work best when they impersonate someone the target trusts. Whaling: a highly targeted phishing attack aimed at senior executives or employees with access to particularly valuable assets. Whaling emails are more sophisticated than generic phishing emails as they often target chief (“c-level”) executives and board members.
What does a spear phishing email look like?
Spear phishing emails have four key components: Target: spear phishing attacks are directed at specific employees or groups, oftentimes those with access to money, sensitive systems or powerful people. For example, accounts payable departments and executive administrators are frequently targeted. Criminals may also target new hires and other “quick-to-click” employees, exploiting their desire to act fast on any requests or assignments. Criminals don’t have to search long and hard to identify good targets. There is an abundance of valuable data online, from Linkedin career updates to employee details on company websites. Intent: in both the email subject line and body copy, the attacker will use deliberate language to establish context and intent; they want the recipient to do something now. In sophisticated attacks, fraudsters will initiate normal conversations but not mention any requests. With this approach, they invest time in developing a legitimate dialogue and establishing trust with the target over multiple emails. As a result, any subsequent requests﹘like a wire transfer﹘will appear authentic and usually get the target to complete the desired action. [Read more on how trust can be manipulated by tech in our report “Why People Make Mistakes”] Impersonation: at the heart of every spear phishing attack is impersonation. The attacker is pretending to be a person or entity that the target knows and trusts. The spectrum of impersonation tactics is broad, ranging from display name and domain manipulations to the specific language used within the body of the email. In general, criminals often impersonate an influential or powerful person﹘like a CEO﹘or a trusted company﹘for example, Microsoft ﹘in order to establish a sense of legitimacy or urgency. Tessian refers to sophisticated impersonation attacks as advanced impersonation spear phishing. Payload: spear phishing emails may contain some form of payload to engage the target. Basic impersonations include obvious payloads like links and attachments that appear legitimate, but which are in fact malicious. Advanced impersonation tactics are more discreet; they rely on text alone to elicit a desired action. For example, “please wire payment to this account: 123-4567” or “Can you please buy 10 Apple gift cards for our clients and send me the voucher codes as reference ASAP?” By omitting conspicuous payloads, these advanced threats (aka zero payload attacks) can more easily slip through standard email defenses.
Advanced impersonation spear phishing falls into three categories.
Why is spear phishing so dangerous? Spear phishing isn’t difficult to pull off. Attackers don’t need capital, special equipment or a particularly advanced skillset. They just need to invest time into researching a target, which is easy with the proliferation of public profiles on platforms like LinkedIn. Spear phishing is particularly effective because busy professionals are easy to trick on email. Today, the average worker spends nearly a third of their working week on email, sending and receiving around 124 emails every day. The pressure to be constantly connected and on-the-go means that employees are more likely to be distracted and make mistakes on email. A shift towards becoming a mobile workforce hasn’t helped the situation either. Verizon research has shown that people are significantly more susceptible to social attacks received on mobile devices; this is a result of mobile design and people’s tendency to multitask on mobile devices. Businesses globally have lost $12.5bn over the past five years as a result of phishing scams. Advanced impersonation spear phishing has emerged as one of the most popular and successful attack methods being leveled at businesses – small and large – around the world. Rewards for attackers are high, and the damage to organizations can be catastrophic, resulting in wire payment fraud, file sharing, credential theft and eventual systems takeover. How do you prevent advanced impersonation spear phishing? Most organizations rely on Secure Email Gateways (SEGs) to keep inboxes safe. To identify and prevent inbound threats, SEGs commonly employ machine layer methods: Payload inspection like scanning URLs and attachments. This can leave organizations vulnerable to zero-payload attacks and can falsely increase user confidence. Spam and bulk-phishing prevention. Focusing on past known attacks and basic email characteristics (e.g. domain authentication), these fail to prevent advanced impersonation, which is low-volume and crafted to evade such systems. Rules to prevent impersonation. Rules can prevent basic impersonation attacks (e.g. by detecting newly registered domains, different sender/reply-to addresses, etc). While SEGs can block malware and bulk phishing attacks, rule-based solutions cannot stop advanced impersonation attacks and are incapable of detecting external impersonation. Tessian Defender detects all possible impersonation types, including the manipulation of internal and external contacts. Defender stops advanced threats that legacy systems miss. Tessian Defender’s stateful machine learning retroactively analyses historical email data in order to understand the difference between safe and unsafe emails being received. By analyzing multiple data points within email headers, body text and attachment data, Defender can detect and prevent threats in real time with minimal end-user disruption. To learn more about Tessian or book a demo of Tessian Defender, contact us here.
Spear Phishing
Why DMARC is Not Enough to Stop Impersonation Attacks
By Laura Brooks
30 July 2019
The UK’s National Cyber Security Centre (NCSC) reported that in the past year, it has stopped 140,000 phishing attacks and taken down more than 190,000 fraudulent websites. In its second annual report on the Active Cyber Defence (ACD) program, the NCSC details how its use of Synthetic DMARC has stopped sophisticated phishing operations, including one in which hackers used a gov.uk domain to impersonate an airline organization. While this approach of synthesising DMARC records has proven to be effective in stopping spoof email campaigns so far, the NCSC’s report also describes it as “an evil hacky kludge,” adding that more needs to be done to express policy ownership in domain hierarchies. Here, we address the shortfalls of DMARC and email authentication records, and consider what more can be done to stop strong-form impersonation attacks. A necessary first step 95% of all attacks on enterprise networks are the result of successful spear phishing, which often involves an attacker directly impersonating the email domain of the receiver. For example, any attacker could send an email from your business email domain to an employee at your business, and the recipient would have no way to validate the sender’s authenticity in the absence of authentication records. SPF and DKIM are email authentication records that, in short, allow email clients to validate the domain name of an inbound email. DMARC enables organizations to specify how the client responds to emails that fail SPF or DKIM checks (generally reject, quarantine, or no action.) SPF, DKIM, and DMARC are essential for preventing direct impersonation of your organization’s email domain. All email domains – especially those of trusted brands – are at risk of direct domain impersonation, regardless of past threat activity. The darker side of DMARC However, DMARC has its downsides. And while the NCSC has encouraged more UK businesses and government agencies to adopt DMARC, the report doesn’t shy away from bringing these shortfalls to light. 1. DMARC configuration is time-consuming and resource intensive The NCSC report states that “for any enterprise of a decent size, implementing DMARC is often a long process”  and that “implementing DMARC is a lot harder than people will have you think.” Strict DMARC policies can, if misconfigured, block the delivery of real, legitimate emails. As a result, the ACD recommends organizations take time to digest DMARC reports and investigate the nuances of their mail infrastructure, before gradually moving to a more protective DMARC policy. Unfortunately, this process takes many organizations well over a year. 2) DMARC records are publicly available; attackers can work around them DMARC, SPF, and DKIM records are inherently public information – they need to be so that receiving mail clients can authenticate a sender’s domain. Attackers can see not only if your organization has a DMARC policy, but also how strictly you have configured it. Before trying to impersonate your email domain directly, a sophisticated attacker will check if you have a strict DMARC policy in place. If you do, the attacker can still carry out an advanced spear phishing attack. For example, DMARC doesn’t protect against indirect impersonation, or domains that are similar to yours (e.g. @tassian.com, @tessian.outbound.com, @tessian.email). There are thousands of ways an attacker can make a new domain look similar enough to your domain to fool members of your organization. These new, legitimate domains are unprotected by DMARC. Perhaps because of DMARC’s public nature and the vulnerability of indirect impersonation, ACD data has yet to establish a causal link between increased DMARC adoption and decreased phishing. 3) External domains remain a threat Configuring DMARC and other email authentication records are necessary measures for preventing attackers from directly impersonating your organization’s email domain. Unfortunately, a high percentage of the emails your employees receive likely come from the domains of other organizations, such as partners, vendors, customers, and government bodies. Given that other organizations are unlikely to have authentication records in place, employees remain vulnerable to direct impersonation of their external contacts. Email authentication records and policies, then, are only a small piece of the puzzle for protecting your organization against spear phishing attacks. Impersonation is a difficult problem to solve. To accurately detect it, you need to understand what is being impersonated. You need to be able to answer the question, “for this user, at this point in time, given this context, is the sender really who they say they are?” Tessian Defender uses stateful machine learning models to analyze historical email data and understand relationship context, which means we can automatically detect the impersonation of both internal and external parties.
Spear Phishing
Why Financial Services Firms are Most Likely to Fall for Phishing Attacks
10 July 2019
Recent reports show that the number of cyber incidents reported by financial services firms to the Financial Conduct Authority (FCA) skyrocketed from 69 in 2017, to 819 in 2018. Ransomware and phishing attacks topped the list of reported cyber attacks, making the financial sector one of the most targeted industries for phishing crimes. With the threat of phishing and spear phishing attacks only growing in severity, being aware of potentially malicious emails and impersonation scams has never been more important. However, our report – Why Do People Make Mistakes? – worryingly suggests that people in financial services are the most likely to fall for phishing scams. We found that nearly one in three financial services workers has clicked on a phishing email at work, making it the sector with the highest percentage of people falling for these attacks. The problem is that people in financial services are under huge amounts of stress and pressure – and this often leads to mistakes online and puts cybersecurity at risk. For example, nearly half of the people we surveyed from financial services (49%) described their current workload is either ‘overwhelming’ or ‘heavy’, while 70% said there is an expectation within their organization to respond to emails quickly. Furthermore, an overwhelming majority 89% said they feel stressed at work, with nearly nine in 10 admitting they make more mistakes when stressed – significantly higher than the UK average of 71%. Stress and overwhelming workloads can, ultimately, increase vulnerabilities to threats given that a person’s ability to spot anomalies in a phishing email becomes influenced by other tasks requiring their attention at the same time. With so much going on, overworked employees will likely rely more on habitual behaviors that inform their decision making, rather than engaging in rational, analytical thinking. Tiredness, too, also impacts our ability to question the legitimacy of messages we receive, leading to what could be a costly mistake for any business. Mistakes are inevitable, especially when people are tired, stressed and facing a never-ending to do list. Cybersecurity is the last thing on their minds but it just takes one click on a malicious link or one response to a hacker’s request to compromise data and ruin a company’s reputation. So, as cybercriminals continue to hone their skills and make spear phishing attacks more targeted and more believable, businesses need to consider how to prevent the inevitable mistakes. Consider how best to protect your people. Alert them to potential threats and provide them with the information they need – in real-time – to think before they click.
Spear Phishing
Ed Bishop: Spear Phishing and the Dangers of Impersonation
09 July 2019
Tessian CTO Ed Bishop runs through the most dangerous forms of spear phishing and email impersonation attacks threatening organizations. Email allows us to interact freely. If you know someone’s address, you can send them an email, regardless of where in the world they are located or what device they’re using. Even if you don’t know someone’s email, it’s often relatively easy to guess. Email is also open by default. This openness has taken masses of friction out of global commerce, and is vital to our businesses. But there’s a tension here. An open network inevitably means risk to individuals and businesses alike. Organizations around the world handle sensitive material every day. Vigilance will always be important. But striking a balance between empowering employees and cracking down on suspicious activity has to be done sensitively. Strong-form spear phishing is a particularly dangerous threat. Spear phishing takes advantage of email’s openness using advanced impersonation techniques undetectable by most filters and safeguards, creating significant headaches for information security leaders. It is the most insidious threat to email communication, and is the number one form of attack threatening enterprises today. The FBI now tracks Business Email Compromise (BEC), whereby spear phishing is used to extract large sums of money through illegitimate or unauthorized wire transfers. In 2018, the FBI estimated that in the previous five years, Business Email Compromise (of which spear phishing is an important component) had cost enterprises as much as $12.5bn. So how did this threat emerge? The birth of phishing Email was introduced in the 1970s. It didn’t take long for it to attract a parasite: spam, which arrived in 1978. Spam allowed emails to be sent to large numbers of recipients with minimal personalization. Originally invented for marketing purposes, it soon led to innumerable scams. By 2017, spam made up 55% of all emails received globally.  In response to spam detectors and blockers, attackers started to work harder. They turned to phishing. Phishing mimics the identity of trusted people and services in order to extract sensitive information, such as passwords or account numbers. Although they remain a threat, generic bulk phishing attacks can usually be prevented by legacy email security solutions. The problem, though, is that attackers have refined their approach over the years. They have invested more time and energy into targeting specific individuals, and have turned to public-domain information from sites like LinkedIn to personalize emails. As phishing has grown in popularity, other cybercrime strategies like ransomware and fraudulent online purchases have also become more prevalent. In 2017, hackers stole a staggering £130bn from consumers through these schemes. And information security professionals have their work cut out. Targeted, personalized attacks are constantly evolving. At Tessian, we see impersonation-based spear phishing as the next stage in this email arms race. High-ranking employees are most at risk From a technological perspective, spear phishing is much more difficult to filter out than run-of-the-mill spam or bulk phishing. This is because it is highly targeted towards particular individuals within organizations. Even the most cynical and risk-aware individuals can be foxed by a spear phishing scam if it is sent on a busy day, delivered in a particular tone, or perceived to be from an authoritative source. Indeed, some threats are confined to IP addresses hidden in email headers – undetectable by employees. This is not confined to mid-ranking employees: ‘whaling’ scams specifically target C-level executives, for instance. These nefarious tactics are not going away any time soon. Secure Email Gateways: solving the problem? To combat attackers, enterprises have traditionally used Secure Email Gateways to monitor attachments and URLs. Today, almost every email provider or legacy Secure Email Gateway (a guard against malicious emails) will include a spam filter. However, there are always ways for attackers to get around these rule-based technologies. Cybercriminals may employ malware that evades software programs’ screening capabilities, for instance: alternately, organizations might fall victim to a zero-payload attack that doesn’t represent a threat for weeks or months. So how have Secure Email Gateway structures attempted to address spear phishing issues? Display address irregularities Secure Email Gateways are designed to catch irregular display addresses. These occur when the target’s display address doesn’t exactly match the genuine address (changing an ‘n’ to ‘m’ and making ‘bank’ ‘bamk’, for instance). This check looks for instances where a reply-to address may be different from the sender’s own address. Domain monitoring Here, the Secure Email Gateway checks whether the sending domain has been recently registered, or whether it is registered as inactive. The protective measures mentioned here can only ever be partially effective. That’s because they are focused on providing static, rule-based solutions: attackers can easily reverse engineer these rules and circumnavigate them. So how are cybercriminals evading Secure Email Gateways? At least in part by focusing on strong-form techniques. Attackers are becoming more subtle Attackers have a variety of ways to break down organizations’ defences, but strong-form tactics are especially hard for Secure Email Gateways and other rule-based systems to detect. We’ve already covered reply-to modifications, for instance. This is an example of weak-form phishing which relies on targets not realising that the reply-to address of an email has been changed from the original ‘sender’. With strong-form phishing tactics, the reply-to address can appear to be exactly the same as the sender’s address. This has the potential to confound simplistic rule-based systems. A strong-form attack could be a homograph impersonation of a ‘trusted’ external counterparty, such as a law firm or an accountant. Here, other alphabets can be used to deceive targets into believing a domain or address is genuine. The English language ‘a’, for instance, is very similar to a Cyrillic small letter ‘a’. This visual trick can be used to create alias addresses that could well deceive targets. It might seem surprising that anybody can send an email pretending to be anyone, but current email protocols allow for this. Email authentication methods like SPF, DKIM and DMARC have been designed to try and confirm sender identities. The problem is that this can only be truly effective when every company in the world publishes its own email authentication record. Unfortunately, this is far from being the case: many Fortune 500 companies still have not published the recommended email authentication records. This gives attackers the means to find, through public domain data, any external counterparties without correct authentication records, and simply send emails pretending to be them. It’s clear that hackers are thinking about more subtle ways to breach organizations’ defences. As such, it’s important to understand how spear phishing works in practice. The tip of the spear: breaking down intelligent phishing attacks Understanding how spear phishing attacks are constructed is fundamentally important to the success of an information security team’s defences. So what are the key components of a spear phishing attack? Target The target could be any employee within your organization, but attackers may focus on high-ranking executives or members of the finance department. Cybercriminals can spend significant amounts of time researching and identifying the most vulnerable individuals. Impersonation The impersonation of another person or company is the core tenet of spear phishing attacks. Once a target is identified, the attacker may choose to impersonate a colleague or a trusted third party external to the organization (possibly someone who works at another organization they interact with regularly and trust). Intent Successful spear phishing attacks all manage to get the email recipient to take a particular kind of action. This could be wiring money to an attacker’s bank account, divulging login details or other sensitive data, or installing malware or ransomware on a device. Often, requests for action exploit organizational pressures to maximize urgency and time sensitivity.
Hacking the human One successful spear phishing attack can result in the extraction of millions of dollars, devastating data loss, and incalculable reputational damage. While some enterprises are able to stop basic spear phishing, these attacks are becoming more sophisticated all the time. This isn’t surprising. The history of email security shows us that phishing attacks only become more advanced and personalized with time. In industries where many firms still rely on only traditional technologies like Secure Email Gateways to operate, the threat level is potentially even more potent. The rewards for attackers are large, and the risk for companies still larger. There is much to be done before organizations can be said to have the upper hand against these bad actors. By acknowledging the people that are at the heart of this battle, and by building products that understand and protect them, I’m confident that we can make significant progress. *Interview condensed from Modern Law Magazine supplement, May 2019.
Spear Phishing
Why Law Firms are Falling for Phishing Attacks
By Cai Thomas
17 June 2019
Phishing is now the most common cyber attack affecting legal sector. Last year, nearly 80% of law firms reported phishing attempts and, according to Osterman Research, the number of mass phishing attempts getting through to end users increased by 25% while spear phishing attempts rose by 26%. Sadly, hackers are also getting more successful in their attempts; the amount of money stolen from law firms as a result of phishing scams, in the first quarter of 2017, was 300% higher than the year before. The simple fact is that law firms are a lucrative target for spear-phishing attacks because they hold many confidential secrets and deal with large financial transactions. It’s a problem that law firms have to tackle, else face the devastating consequences that phishing scams can have to highly sensitive client data and the firm’s reputation. However, worryingly the Solicitors Regulation Authority (SRA) has stated that it is unrealistic to expect staff to identify all phishing emails. So what do you need to look out for? What are the techniques hackers are using to try and trick employees in their spear-phishing attacks? Here are the most recent trends: 1. Leveraging the LinkedIn treasure trove Simply put, spear-phishing attacks are more sophisticated impersonation attempts, whereby an attacker skillfully leverages social engineering techniques to manipulate the targeted individual. To do this successfully, criminals gather publicly available information about a firm’s business in order to masquerade as a reputable employee or counter-party. Today, there is so much valuable data for criminals to easily access online – from your LinkedIn career updates to employee details on company websites. In the case of law firms, savvy criminals have also realised that any lawyer regulated by the SRA must legally ensure their contact details are publicly available online. With this information at their fingertips, criminals are quickly able to understand the most effective strings to pull. Falling for the deception, some firms have unknowingly transferred anything between £5,000 and £1m to cybercriminals. And by the time these law firms realised they’d been successfully attacked, it was too late. 2. Identifying prime targets New joiners are an attacker’s ideal prey; fresh into the firm, they have an energy to act upon request and prove themselves. But this could be their, and your firm’s, downfall. One firm, for example, experienced an unfortunate incident whereby a new Finance Manager – just two months into the job – was fooled into transferring £60,000 to an impersonated supplier. Security awareness training on these types of attack, therefore, must take place as soon as an individual joins the firm. However, it’s not just new joiners that you need to be wary of. Leavers, too, pose a threat. A quick update on LinkedIn tells opportunist criminals of that person’s departure from a company, and we’ve seen that fraudsters are quick to piggyback this move – creating freemail impersonations of leavers to request credentials or documents or to change their bank details. In this case, staff should notify IT when a supposed leaver gets in contact to confirm the identity of the sender. 3. Testing the waters Another common technique is attackers masquerading as Managing Partners, starting emails with trivial subjects such as ‘How was your weekend?’ or ‘Do you have five minutes?’ in order to test a firm’s security. These introductory emails have no URL, attachment or payload included; they sail through a firm’s defences in order to start a conversation. In one particular incident, an email was sent to a law firm, supposedly from the ‘Managing Partner’, asking recipients to meet him at the local shop – you’d be surprised how many lawyers actually waited outside a corner shop! The reason for this technique? If an attacker notices weak layers of defence by receiving many responses from a particular firm, it signals that it is a target worth pursuing. The attacker is, then, more likely to deliver the real fraudulent email a few weeks later. If criminals find that they don’t get a bite from the initial bait email, however, they will likely move on. Another reason for this approach is that attackers tend to use the content within any bounce-backs and OOO emails to craft future impersonation attacks. Information such as the length of time a particular person is out of the office or the name of the person to contact in their absence helps an attacker build a legitimate impersonation attack, making the message seem more believable. 4. Posing as a position of authority In a number of cases, lawyers have been fooled by emails, supposedly from the High or Supreme Court, that includes a false link to a ‘new legal case’. All too often, hackers will impersonate positions of trust and authority to convince victims to fulfill their requests. The problem is that, with the continued development and ubiquitous deployment of new technologies, the way in which trust develops online has shifted. Without the typical behavioral cues available to us when we interact with someone in person, trust is more easily manipulated and the believability of a message or online persona increases. Protecting your people As you can see, with our ever growing digital footprint, cybercriminals are using a number of impersonation techniques to deceive unwitting victims into transferring finances or handing over credentials. These are just some of the recent approaches; there are many more and firms need to be able to protect their people and, consequently, their data from all of them. Solely relying on rule-based phishing solutions will certainly protect your firm from some of the weak-form phishing attacks and impersonation techniques attackers are using. Training, too, will arm staff with the knowledge they need to identify the cues that signal a potential threat. However, it’s the strong-form impersonation and social engineering attacks, that are becoming more prevalent across the legal sector, that you need to worry most about. Attackers are only becoming smarter in their approaches to evolve the threat, bypass secure legacy email gateways and craft more convincing and persuasive messages. Firms, therefore, need to find ways to help their people spot the good from the bad and think before they click, in order to protect their data and systems. Post originally appeared in Information Age.
Spear Phishing
Attackers are Using Microsoft Forms to Exfiltrate Data
22 February 2019
Attackers are using Microsoft Forms links to get past email URL protection and steal sensitive information. We were alerted to this new tactic by one of our clients in the financial services sector. They recently received a spear phishing email containing a Forms link. In an attempt to protect firms from credential pharming and malware, several email security providers including Proofpoint, Mimecast and O365 Advanced Threat Protection re-write and scan URLs within emails to verify that the URL is safe to visit. The effectiveness of this approach has been questioned before, and now a new vulnerability involving the use of Microsoft Forms is being exploited by attackers. How are they exploiting Microsoft Forms? Microsoft Forms is an online tool for creating quizzes and surveys and automatically collecting the results. Forms were fully released to enterprise users of Office 365 in 2018. Here’s how they work You create a survey or quiz via Microsoft Forms and distribute it to your audience by embedding a link in an email. To fill out the form, a recipient will click the link within the email and be directed to a Microsoft Form containing fields that capture whatever data the form is designed to collect. Crucially, because the links direct users to a genuine Microsoft site, Forms links are trusted by the URL protection from Secure Email Gateways and ATP. Attackers have become aware of this and are now using authentic Microsoft Forms to collect sensitive information from unwitting targets. Any data input into the form is automatically sent to attackers, bypassing security defenses.
Many enterprises have become overly reliant on URL protection to prevent spear phishing attacks. To make things worse, with URL protection in place, employees begin to trust the links they receive in their inbox and become less vigilant to attacks. As attackers become more sophisticated they are finding simple ways to get past URL protection. Instead of focusing on the URL or on other payloads that can be sent in a spear phishing email, enterprises should aim to identify the actual impersonation behind the attack. This will not only reduce their vulnerability to attacks like this one, but also protect them from zero-payload attacks such as Business Email Compromise. We have reported this attack to Microsoft and have recommended that unique client IDs are used in the Forms URLs to allow enterprises to build custom policies to warn users when the client IDs do not match. We will update you when we hear from Microsoft.