![]() User moved Exchange sent messages to deleted items Hide Artifacts: Email Hiding Rules (T1564.008) XDR Analytics BIOC, Identity Threat Module (ITDR) The ITDR module provides advanced detection capabilities that enable organizations to quickly respond to identity-related threats.Ĭortex ITDR and Identity Analytics Alerts Alert Name Palo Alto Networks customers receive full protection from this attack through the new AI-driven Cortex Identity Threat Detection and Response (ITDR) module in XDR and XSIAM. It is important for organizations to be aware and understand how these attacks work, in addition to the implementation of protections to prevent these kinds of emails from reaching users. VEC attacks are a popular method threat actors use to gather intelligence and trick users in order to perform a successful phishing campaign.Īs enterprises move towards cloud-based services, these types of attacks are all the more popular. ![]() In the following example, the module detected a single sign-on operation from Nigeria, which is uncommon for this particular organization.įigure 11. The Cortex Identity Threat Detection and Response (ITDR) module features alert layouts that expose profile data and historical trends. Although it is possible for the attackers to use a VPN, there have been multiple previous reports of business email compromise (BEC) groups operating from Nigeria. ![]() The analysis revealed that the attackers logged in to the compromised email account from Nigeria. The compromised email account was also used as a contact email for customers, and thus it potentially received many emails containing sensitive information in case of clients’ inquiries. In one example analyzed in this campaign, Cortex researchers identified attackers compromising a vendor service email of a company in the financial services industry. ![]() Vendor email compromise is a type of phishing attack in which an attacker gains access to a vendor’s business service account, and afterwards, uses said account to spread malicious emails to the vendor’s customers. In March 2023, Cortex researchers identified a phishing campaign that used phishing sites mimicking a legitimate secure login page.ĭuring this campaign, the attackers used a technique known as vendor email compromise (VEC) in order to spread the phishing sites and to appear as legitimate as possible. In this blog, we will explore how attackers use these techniques to launch a phishing campaign with a high damage potential to both the vendor and its customers. In this type of attack a threat actor first gains access to a vendor’s business email account, and then, uses said account to spread malicious emails to the vendor’s customers - thus abusing the trust that customers often grant a well-known vendor. One approach used by threat actors to further raise the legitimacy of the phishing is a method known as a vendor email compromise (VEC) attack. Once credentials are stolen, threat actors may sell them in underground markets, or use them to conduct further malicious operations, sometimes even months after the credentials were first obtained. Threat actors attempt to mimic credible platforms and services in an attempt to get unsuspecting users to enter their credentials and other sensitive information. In recent years credential phishing campaigns keep evolving in an attempt to appear as legitimate as possible. This blog written by Stav Setty and Tom Fakterman.Ĭredential phishing is one of the most popular threats businesses and individuals need to face in today's cybersecurity landscape.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |