Tessian Cloud Email Security intelligently prevents advanced email threats and protects against data loss, to strengthen email security and build smarter security cultures in modern enterprises.
- Industry: Legal
- Size: 5,000 employees
- Platform: O365
The firm being targeted by the attacker operates globally, but the senior partner they were impersonating was based in Australia. All employees targeted in the attack – including their contact details – are featured on the firm’s website.
Eleven partners were targeted by the attacker. All of them were also based in Australia, indicating the attacker spent time considering who to target based on what they were able to learn from reconnaissance activities against the individual they wanted to impersonate. It is likely they chose targets they assumed would be in regular contact with the senior partner at the firm.
The attacker had registered an email address with Gmail containing the word “partner” at the beginning followed by a series of numbers. They also changed the display name associated with the address to match the name of a senior partner at the firm they were targeting.
In the email sent, the attacker asked questions about the targeted recipient’s availability, implying that part of the intention was to establish a dialog for social engineering. From the email headers, it also appears that the email was sent from a mobile device.
There were no links or attachments included in any of the emails. It is likely the attacker was hoping to receive a response from any of the 11 targeted partners, with the intention of building a rapport and then socially engineering them into carrying out actions on the attacker’s behalf; for example, giving up sensitive information or unwittingly compromising the firm’s network infrastructure by further directing them to a malicious link or attachment.
Threat Detected and Prevented
At the time the emails were sent, Tessian Defender was being trialed at the firm across a subset of users. Two of the users who received the email had Defender installed. For both users, Defender flagged the email as a possible impersonation of someone else at the firm based on the display name, and warned them there was something suspicious about it.
Both users who received the notification from Defender marked the email as malicious, which subsequently alerted the security team.
This attack was not particularly sophisticated but could have easily gone unnoticed by busy employees – especially if viewed on a mobile phone, where sender addresses are often not visible. More importantly, this rudimentary attack was not detected by the firm’s Secure Email Gateway.
Tessian Threat Intelligence in the portal drew the security team’s attention to the suspicious indicators:
- “first time sender” – the recipients had never been emailed by this sender before
- Keywords like “are you available” were highlighted; which coming from a first time sender signals risk
After the security team investigated the threat, they notified the other targeted users in the firm and the incident was resolved without any damage being done.