Download PDF version Contact company

The threat actor behind the SolarWinds attack, the Russian-based Nobelium, has orchestrated another successful vendor email compromise attack, this time targeting the United States Agency for International Development (USAID).

According to the Microsoft Threat Intelligence Center (MSTIC), Nobelium compromised the USAID’s Constant Contact account, so as to send phishing emails that included links containing malware.

Zero-day phishing attacks

The incident highlights how zero-day, never-seen-before phishing attacks from compromised vendors (USAID), are getting past traditional email defences that rely on threat intelligence. They exploit trusted communications between vendors and customers, through personalisation and social engineering.

To stop these attacks, a defence-in-depth approach is needed, one that combines Microsoft threat-intelligence protection for spam, greymail and malware, and Abnormal Security’s behavioural data science approach that protects against never-seen-before, socially-engineered attacks.

SolarWinds and the Colonial Pipeline attacks

The attack itself represents the third high-profile, socially-engineered phishing attack this year

The attack itself represents the third high-profile, socially-engineered phishing attack this year, with SolarWinds and the Colonial Pipeline attacks, both of which started with credential phishing attempts of a vendor or employee email account.

Microsoft describes how Windows Defender caught the USAID attack, but acknowledges some detection systems may have ‘successfully delivered’ emails, due to configurations, policy settings and prior detections in place.

USAID attack

This new wide-scale email campaign leverages the legitimate service - Constant Contact to send malicious links that were obscured behind the mailing service’s URL (many email and document services provide a mechanism to simplify the sharing of files, providing insights into who and when links are clicked).

Due to the high volume of emails distributed in this campaign, automated email threat detection systems blocked most of the malicious emails and marked them as spam. However, some automated threat detection systems may have successfully delivered some of the earlier emails to recipients, either due to configuration and policy settings, or prior to detections being in place.

High reliance on threat intelligence and IOCs

The successful delivery of phishing emails highlights the over-reliance on threat intelligence and Indicators of Compromise (IOCs), which needs to collect and evaluate the incident first, before blocking it going forward.

However, a never-seen-before, zero-day attack, such as the USAID incident lacks traditional IOCs, as there is no prior context to analyse. The sender, an authenticated, yet compromised Constant Contact marketing automation account, did not trigger authentication alarms. And the payload, a malicious URL, directed targets to a legitimate Constant Contact service and re-directed to NOBELIUM-controlled infrastructure, where a malicious file is then delivered to the system.

Behavioural data science approach

In the case of this attack, Abnormal Security would have automatically detected the threat

In the case of this attack, Abnormal Security would have automatically detected the threat, based on abnormal behavioural patterns and thereby, remediated the threat. Their behavioural data science approach profiles and baselines good behaviour, in order to effectively detect anomalies.

There have been an increasing number of advanced malware and phishing attacks that obfuscate malicious content behind links, which lead to unknown websites. To detect these attacks and malicious intent, Abnormal Security crawl these links, such as the one found in the USAID attack, to analyse the landing page or malicious file.

Cloud native email security platform

They deliver this approach through a cloud native email security platform that can be deployed instantly, through 1-click API integration and can be used to extend, and complement Microsoft Office 365 threat-intelligence-based approach, as well as existing 3rd-party Secure Email Gateways.

Their API-level access allows Abnormal Security to provide complete protection against the full spectrum of email threats, including spam, greymail, as well as advanced never-seen-before, socially engineered attacks, such as impersonations and employee, and vendor compromises.

Download PDF version Download PDF version

In case you missed it

Anviz Global expands palm vein tech for security
Anviz Global expands palm vein tech for security

The pattern of veins in the hand contains unique information that can be used for identity. Blood flowing through veins in the human body can absorb light waves of specific wavelen...

Bosch sells security unit to Triton for growth
Bosch sells security unit to Triton for growth

Bosch is selling its Building Technologies division’s product business for security and communications technology to the European investment firm Triton. The transaction enc...

In age of misinformation, SWEAR embeds proof of authenticity into video data
In age of misinformation, SWEAR embeds proof of authenticity into video data

The information age is changing. Today, we are at the center of addressing one of the most critical issues in the digital age: the misinformation age. While most awareness of thi...

Quick poll
What is the most significant challenge facing smart building security today?