Full Report
The red flags of email impersonation, real world examples and what to do about it.
Analysis Summary
# Tool/Technique: Email Impersonation Attacks
## Overview
Email impersonation refers to the use of a false identity when sending an email. Attackers use this technique to deceive recipients into taking actions that benefit the adversary, such as revealing credentials, initiating fraudulent transfers, or installing malware. Success relies heavily on exploiting human trust.
## Technical Details
- Type: Technique (Social Engineering/Deception)
- Platform: Email Systems (General)
- Capabilities: Deception via false sender identity, bypassing traditional email authentication mechanisms.
- First Seen: Early in the history of email-based malware and spam attacks.
## MITRE ATT&CK Mapping
- **TA0001 - Initial Access**
- T1566 - Phishing
- T1566.001 - Spearphishing Attachment
- T1566.002 - Spearphishing Link
- T1534 - Compromise Software Supply Chain (Implied in BEC/account takeover)
- **TA0006 - Credential Access**
- T1003 - OS Credential Dumping (Result of successful credential phishing)
- **TA0010 - Exfiltration** (If leading to fraud/financial gain)
## Functionality
### Core Capabilities
* **Brand/Entity Impersonation:** Pretending to be a trusted brand (e.g., for fake product spam or malware distribution).
* **Internal Impersonation:** Pretending to be a known individual within the victim's organization.
* **Luring Victims:** Used to facilitate various goals including fraud, credential theft, and ransomware delivery.
### Advanced Features
* **Typosquatting/Domain Masquerading:** Subtle misspellings or the use of visually similar characters (e.g., Cyrillic or international characters) to mimic legitimate domains (e.g., `Broądcom.com` vs `Broadcom.com`).
* **Display Name Spoofing:** Using the legitimate display name of a known contact but sending from an unrelated or consumer email address.
* **Account Takeover (ATO):** Compromising an actual user account to reply to existing threads, lending credibility to fraudulent requests (a key component of sophisticated BEC).
* **Reply-To Manipulation:** In ATO scenarios, changing the "reply-to" address to the attacker's domain/account while the original compromised account sends the message.
## Indicators of Compromise
*No specific, unique indicators are provided as this summary focuses on broad techniques, but methods for identification are listed.*
- File Hashes: N/A (Technique focuses on delivery mechanism, not specific payloads)
- File Names: N/A
- Registry Keys: N/A
- Network Indicators: Examination of email headers for IP addresses originating from unexpected geographic locations (geolocation filtering). Sender IP ranges associated with known malicious sources.
- Behavioral Indicators: Emails appearing from internal users but originating from external/unusual IPs; unusual requests for fund transfers; sudden changes in communication context following an established thread.
## Associated Threat Actors
Threat actors engaged in:
* Business Email Compromise (BEC) scams
* Financially motivated threat groups
* Ransomware operators
* Hacktivists (as seen in the backscatter example)
## Detection Methods
* **Signature-based detection:** Detection of known typosquatted domains or specific malicious links/attachments within emails.
* **Behavioral detection:** Identifying anomalous sender locations (geolocation filtering of IP headers) relative to the compromised account's usual location. Analyzing communication patterns that deviate from normal business operations.
* **Authentication Checks:** Reliant on the integrity of SPF, DKIM, and DMARC records. Detection mechanisms should flag emails where these authentications fail or are missing.
## Mitigation Strategies
* **Foundational Email Authentication:** Implement and enforce **SPF, DKIM, and DMARC** to prevent exact domain spoofing.
* **Layered Defense:** Employ multiple layers of detection tools that go beyond basic authentication checks.
* **User Awareness Training:** Educate users on spotting red flags, including display name spoofing, urgent financial requests, and unexpected reply-to addresses.
* **Geolocation Filtering:** Use regex or tooling to analyze email headers and flag messages originating from unexpected countries.
* **Multi-Factor Authentication (MFA):** Crucial for preventing Account Takeover (ATO) incidents stemming from initial phishing attempts.
## Related Tools/Techniques
* Typosquatting
* Display Name Spoofing
* Account Takeover (ATO)
* Business Email Compromise (BEC)
* Phishing
* Backscatter Attacks