Imposter email attacks: Overcoming ‘needle-in-a-haystack’ threats

Rob Holmes is vice president of products at Proofpoint. He has over 15 years’ experience in brand and fraud protection, and currently drives strategy for email fraud defense.

Email-based attacks represent a serious needle-in-a-haystack threat for organizations. To paint a picture of how serious, consider that in a typical seven-day period in mid-February 2021, Proofpoint found that 98% of 3,000 monitored organizations received a threat from a supplier domain.

Rob Holmes, Vice President, Products, Proofpoint

Imposter email threats and business email compromise (BEC) — where cyber criminals pose as someone the recipient should trust — can increasingly evade traditional security solutions that look for malicious content or behavior because those emails don’t use malicious attachments or URLs. Instead, they use social engineering to trick individuals into transferring money or sharing valuable access information unwittingly with hackers.

The scope of these attacks, however, represents a growing risk for government organizations. While imposter emails and BEC used to primarily hijack the identities of executives and organizations’ leaders, threat actors are shifting their focus to a more potentially lucrative opportunity — impersonating or compromising an organization’s suppliers.

Within most organizations there are only a relative handful of senior executives who have significant budgetary discretion, but a federal government agency may have thousands of suppliers to which significant payments are already being made. The size and nature of the supply chain attack surface therefore make it the perfect vehicle for email fraud: by hijacking any one of those suppliers’ trusted identities, a threat actor may be able to socially engineer someone in an accounts payable team to update the supplier’s banking details and redirect payments. 

To launch an imposter email or BEC attack, threat actors employ a range of tactics, the most valuable of which is a compromised account at a supplier. Not only does the compromise afford the threat actor unrestricted access to conduct research and construct an appropriate lure or insert themselves opportunistically into email conversations, but also any emails sent from that compromised account will pass all forms of email authentication. 

However, to maintain persistence and avoid detection, threat actors will often then redirect the conversation to a lookalike email account that they own and control. That may be at a lookalike domain or webmail account they had previously registered. Furthermore, most suppliers’ domains are still vulnerable to spoofing, which enables threat actors to abuse the trust and reputation of a supplier to deliver a highly credible lure.

Combatting these tactics requires a different cybersecurity approach that dynamically analyzes the attributes of an email as it arrives and detects anomalies that point to an imposter.

Establishing a multi-layered security defense

Establishing trust in identity is crucial to detecting cyberthreats, which is why the recent White House Executive Order on zero trust explicitly requires that all agencies deploy multi-factor authentication within the year. 

But to effectively combat email-based attacks, like imposter emails, agencies need to establish a multi-layered defense against infiltration that include requiring stronger identity controls of their suppliers as well.

For example, federal directives already require civilian agencies to configure their domains with domain-based message authentication reporting and conformance (DMARC) records. DMARC can provide a highly effective way to protect organizations against phishing and other fraudulent activity that spoof domains that should otherwise be trusted. 

For email sent to an agency’s supplier, modern DMARC solutions ensure that legitimate email gets properly authenticated and that fraudulent activity, appearing to come from domains under an agency’s control for instance, are blocked before it reaches that supplier. 

Proofpoint’s DMARC solution allows agencies to take this security capability a step further. Once an agency can establish with certainty that it can account for all its legitimate suppliers, the solution allows an agency to establish a policy for incoming emails from these suppliers, blocking any emails that don’t come from an approved IP address or bear the right cryptographic signature. 

In addition to modern MFA and DMARC solutions, agencies also need to rely on intermediaries between users and cloud service providers. Cloud access security brokers (CASB), for instance, identify anomalous behavior on secure cloud applications and intercept fictitious activity.

Tapping into a larger network to improve visibility

According to Proofpoint’s security data, current attack patterns indicate that threat actors are increasingly using a combination of phishing strategies and credential dumps from prior attacks to breach agency networks and their suppliers. If agencies and their suppliers only focus on their own IT environments, they may not see any immediate threats that are growing within their supply chain.

That is why we recommend using an integrated security platform that offers a number of capabilities to combat cyberthreats. 

At Proofpoint, we bring to bear the power of working with a global network of customers, assessing more than 2.2 billion emails per day and more than 35 million cloud accounts to identify and block advanced threats and look for compliance risks. We see how organizations are getting attacked and which countermeasures are proving most effective.

Even if your agency’s security team doesn’t directly identify threats coming from a compromised supplier, with our 8,000 enterprise and federal gateways in place, we can tell our customers if other companies in their federal space have been targeted. 

That gives agencies a better chance to extend the visibility of their cyber risk to get ahead of, or predict, future threats. 

Learn more about how Proofpoint can help protect federal agencies, and their people, against malicious attackers.