When Phishing Starts from the Inside

A growing concern of security professionals is internal phishing attacks – phishing emails sent from one trusted user to another of the same organization. Internal phishing emails are used in multi-stage attacks in which an email account is owned either by controlling the users device with previously installed malware or by compromising the account credentials of the user. Internal phishing emails are used in both targeted attacks, where the aim is to steal information or commit extortion, and common with Business Email Compromise (BEC) schemes designed to steal money. Because the sender is an internal and trusted user, the recipient is more likely to take action on the email.

Example: Eye Pyramid Targeted Attack Campaign

The Eye Pyramid attackers ran a successful information stealing campaign for years before being brought to court earlier this year. Their favorite technique was to leapfrog from one user to the next user using phishing emails with a malicious attachment. The attachment contained malware which harvested and exfiltrated information, including email addresses which were used for the next targets. Their methods, which compromised more than 100 email domains and 18,000 email accounts, had the markings of a state-sponsored attack but surprisingly was carried out by an Italian nuclear engineer and his sister who sought to profit from the information.


Eye Pyramid Attack Method  


Example: Internal Office 365 Credential Phishing

The popularity of Microsoft Office 365 has made it an attractive target for attack campaigns. We’ve seen many examples of attackers attempting to phish users’ Office 365 credentials. Once one users’ account is compromised the attackers can then initiate a Business Email Compromise attack as in the sample emails below from a wire transfer scam.

Example of an Office 365 credential phishing attack which led to a BEC wire transfer scam from a compromised account. 


Example: Financial Times Destructive Attack

An example of a potentially destructive attack occurred at the Financial Times a few years ago. The attacker (later learned to be the Syrian Electronic Army) used a compromised email account to send internal phishing emails to steal additional account credentials. When IT learned of the internal phishing attacks, they sent a warning email out to all users with a link to change their passwords. The problem was, the attacker saw IT’s email as well and resent it but changed the link to their own phishing website. Ultimately the attackers had access to all the systems they needed, but decided the Financial Times was a “lesser of evils” and continued their attack on other media companies.

Methods to Stop Internal Phishing Attacks

A first step in reducing internal phishing attacks is to implement multi factor authentication (MFA) to reduce the risk of an attacker gaining control of stolen account credentials. But even with MFA enabled, internal phishing attacks can occur if a user’s device is compromised with malware. What many people don’t realize is that email gateway security solutions, which scan inbound and outbound SMTP email traffic, don’t see internal email. To scan internal email, you can use either a journaling based solution or solution which integrates with your mail service or mail server. The best solutions can look for all types of email threats by scanning email content, attachments, and URLs.

Journaling Based Solutions

The first method is to use the journaling function of your email systems to send a copy of each internal email sent to a security service for offline analysis. This method is good for detecting attacks but it doesn’t stop attacks. Some journaling-based security services can use Exchange tools to delete an email after analysis. However, during the analysis, which could be 5 minutes if sandboxing is needed, the user still has access to the email and attachments. And if the attachment was ransomware, like Teslacript which encrypts 10,000 files in 40 seconds, the analysis might be too late.

Service Integrated Solutions

Service Integrated solutions solve the issue of user access during analysis by integrating directly with the mail system using an API. The API alerts the security solution an email has arrived and can hide the email from users until the analysis is completed. On-premise service integrations are available as software for Microsoft Exchange and IBM Domino servers. API-based solutions are also available for cloud email systems, like Microsoft Office 365, if the provider makes API’s available to security solutions. 

Trend Micro solutions

Trend Micro has protected against internal email threats since 1997 and we continue to offer new technology enhancements. We scan for malware, malicious URLS, and our newest XGen® anti-BEC technology can also look for internal fraud emails. ScanMail is available to protect on-premise Microsoft Exchange and IBM Domino email servers. Office 365 is protected by our API-based solution, Cloud App Security, which has detected 6 million high-risk threats during the past 2 years that slipped by the native Office 365 security. Cloud App Security is available by itself or together with pre-delivery gateway protection in Smart Protection for Office 365.

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.