Attackers are playing the long game. Their newest phishing adaption is a product of monthslong intelligence gathering and social engineering -- and it's already being put into action.
Dubbed evasive spear phishing, this new category of email security threat was discovered by investigating more than 25 million email attachments. Detailed in a collaborative report between security companies Forcepoint and Glasswall Solutions Ltd., the evasive spear phisher's commitment to investigating targets and near impeccable avoidance of detection by humans and security mechanisms alike alarmed researchers.
"We use the term evasive because it's evaded everything else," said Lewis Henderson, vice president of threat intelligence at Glasswall and author of the report.
Spear phishing vs. evasive spear phishing attacks
Like typical spear phishing campaigns, the evasive variety identified by researchers is highly targeted and personalized to the recipient. Communications include information about the target gleaned through social engineering to create an illusion of authenticity, increasing the chances of response. The email messages are equipped with attachments or links that install malware or direct the user to malicious websites designed to collect sensitive information such as passwords.
However, where traditional spear phishing ends, evasive spear phishing takes things a step further. The standard definition of spear phishing, according to the bulletin, "falls short of describing totally unique events, one among millions of daily events that occur across the IT infrastructure."
Evasive attacks differ from traditional spear phishing in the attacker's time- and resource-intensive techniques. Adversaries "typically spend months and months researching and gathering intelligence to make sure their attack is going to be as under the radar as possible," Henderson said. And by under the radar, he means by users and security technology.
"The evasive spear phishing attack is carried out by a single-use email address that malicious actor uses," Henderson said. "They are very quick to create and quick to dispose of. A completely unique file is sent to one recipient."
In his research, Henderson observed attacks that went so far as to appear to be originating from customers' supply chains or third parties. "The attackers were in their supply chain partner's system just watching various transactions happen over email," he said. This access provided plenty of material to help attackers create customized emails that would present as convincing to even the biggest security skeptic.
These highly sophisticated communications are threatening, but rare. According to the report, evasive spear phishing attacks "present one of the highest business risks in terms of financial and reputational impact, yet represents the lowest occurring threat in terms of volume that an organization needs to defend against."
Email attachment characteristics
Henderson described the nature of evasive spear phishers as "habitual," evidenced by a pattern in the file types used in the evasive spear phishing attacks: older-generation Office documents and PDFs.
Lewis HendersonVice president of threat intelligence, Glasswall
"We continuously see file formats that were designed for Windows XP being used in contemporary cybersecurity attacks. We see it again and again, and we also see that across our customers," Henderson said. This distinction is important, he added. Researchers did not see many newer Word file attachments because they are "pretty secure and also quite hard to turn into something malicious."
Henderson suggested precaution in the form of policies against old email attachment file types. "If I were to get on my soapbox I'd ask: 'Why are we still letting these old files types into the organization?' They are effectively IT dinosaurs," he said.
However, Henderson doesn't expect attackers to stop at email communications, especially with the ubiquity of email being rivaled by the growing popularity of cloud communication and collaboration platforms like Slack, Skype and Google Hangouts. Henderson warned of such potential risks in the future: "We can definitely see evasive spear phishing applied across other vendors or avenues -- which might include instant messaging and any other means of communication."
Attacks evade security technology
No available email security technology on the market can successfully detect evasive spear phishing attacks, Henderson said, thus the impetus for the "evasive" descriptor.
Technologies that predict known-bad behavior are not catching the highly sophisticated, socially engineered messages, and most traditional legacy detection methods are fruitless.
"Fileless malware looks like a completely legitimate email attachment," Henderson said. "It looks like there's nothing actually malicious when it gets to the victim." This is a case where neither the end user nor security infrastructure is able to identify email messages as what they were: threats.
"From an attacker's perspective, it's extremely effective. From a defender's perspective, it's extremely challenging," Henderson said.
Glasswall is able to observe the ineffectiveness of current email security technology because of where it sits in the security stack, Henderson said. From this vantage point, the company was able to catch things other email security software and protections had not. "Glasswall is positioned as the last line of defense -- the email gateway in a series of technology that customers use to combat their malware threats," he said.
So if technology is not able to prevent these attacks, what will?
Prevention requires awareness
CISOs will be happy to know that in the case of evasive spear phishing, security awareness and education work -- to a point. "Organizations that had training that was a bit beyond just standard phishing training were more successfully combatting those attacks," Henderson said.
In order to combat suspicious communications containing Word or PDF attachments or malicious links, CISOs need to make employees aware of the red flags. Even in workplaces where the security culture is emphasized and security awareness training is up-to-date, it would be easy for employees to make mistakes when they receive such a highly personalized and relevant evasive spear phishing email disguised as routine communication.
Glasswall found that of the evasive phishing emails it scanned in its research, most were never flagged by users. "They're so convincing, so well engineered and so targeted that the users were less often reporting these one-off events as suspicious," Henderson said.
There are a number of best practices individuals can take to raise their awareness of socially engineered attacks, Henderson advised, and it starts with social media. He pointed to the availability of personal and work-related information people post publicly online. The average LinkedIn profiles contain a menu of ingredients for a social engineering attack disguised as a work communication -- for example, lists of work skills and projects on a LinkedIn website, job title, office location, work email address and connections with coworkers can be accessed and mined by attackers. Hackers can take this information, easily make up a throwaway email address account and attempt to make a one-time communication with that person from the account.