Two of the most popular ways threat actors send malicious emails is through the use of spoofing and impersonation tactics. While spoofed emails are sent on behalf of a trusted domain and obscure the true source of the sender, impersonation emails come from a fake domain, but one that may be visually confused for an authentic one. In order to identify impersonation tactics in a suspicious email, we should first ask why an attacker might utilize an impersonation approach over spoofing.

In contrast to domain spoofing, which lacks validation and can be readily detected by email security gateway softwares, impersonation with a lookalike domain allows attackers to send emails with full SPF and DKIM validation, making them appear legitimate to many security gateways. This blog will explore impersonation tactics and how Darktrace/Email protects against them. 

There are two distinct ways to leverage impersonation tactics: 

1.     Impersonating the domain 

2.     Impersonating a real user from that domain  

Domain impersonation is often implemented with the use of ‘confusable characters’. This involves misspelling through the use of character substitutions which make the domain look as visually similar to the original as possible (eg. m rn, o 0, l  I). Threat actors can then also impersonate a real user by adding the the personal field of that user’s email to the new, malicious domain. Comparing impersonation emails with legitimate emails highlights how similar these malicious email addresses are to the real thing (Figure 1).

‍

‍

Darktrace/Email uses AI which analyses impersonation emails by comparing the ‘From’ header domains of emails against known external domains and generates a percentage score for how likely the domain is to be an imitation of the known domain (Figure 3).  

‍
Impersonation emails are also detected via spoof score metrics such as Domain External Spoof Score and Domain Internal Spoof Score (Figure 4). 

‍
Double Impersonation emails such as the one highlighted in Figure 2 are utilized by threat actors to gain the trust of the recipient and convince them to access malicious payloads such as phishing links and attachments. For example, the malicious double impersonation email from Figure 2 contained a suspicious hidden link to a Wordpress site which could have redirected the user to a phishing endpoint and tricked them into divulging sensitive information (Figure 5). The endpoint itself appears to lead unsuspecting recipients to a false share link posing as a payment-themed Excel file.

‍

‍

Various indicators highlighted the webpage as suspicious and potentially malicious. Firstly, the use of ‘SmarterCORNmerce’ in the link to the webpage was at odds with the use of SmarterCOMMERCE throughout the page itself. The link also showed the invoice statement to be an Microsoft Excel file, despite the email suggesting it was a PDF document. Further investigation revealed the link to be associated with a Fleek hosting service and CDN (Figure 7), and that it redirected users to a fake Microsoft page. 

‍

As well as the domain spoof score metrics highlighted in Figure 4, Darktrace/Email analyses the suspicious payloads embedded in emails and generates scores to indicate the likelihood that a payload may be a phishing attempt.

‍

As the DETECT functionality of Darktrace/Email generates high scores metrics such as Domain External Spoof Score and Phishing Inducement, the RESPOND function will fire complementary models which then trigger relevant actions on the various payloads embedded in these emails and even the delivery of the emails themselves. As the impersonation email highlighted in Figure 2 impersonated not only the trusted domain but the known and trusted sender, Darktrace AI triggers the Double Impersonation model. Additional spoofing models such as ‘Basic Known Entity Similarities + Suspicious Content’ and ‘External Domain Similarities + Maximum Similarity’ were also triggered, indicating the high possibility that the suspicious email is a domain and user impersonation email sent by a malicious attacker.

‍
When Darktrace/Email detects a malicious double impersonation email, it responds by triggering a Hold action, preventing the email from appearing in the recipient’s inbox. Darktrace/Email’s RESPOND functionality could also take action against the suspicious link payloads embedded in the email with a Double Lock Link action. This will prevent users from attempting to click on malicious phishing links. Such actions highlight how Darktrace/Email excels in using AI to detect and take action against potentially malicious impersonation emails that may be prevalent in any user’s inbox. 

Though impersonation is becoming increasingly targeted and efficient, Darktrace/Email has both detection and response capabilities that can ensure customers have secure coverage for their email environments.

Thanks to Ben Atkins for his contributions to this blog.