Phishing attacks are one of the most serious threats to cybersecurity today. The constant evolution of techniques used by cybercriminals makes these attacks increasingly difficult to detect. Therecent analysis carried out by the Varonis MDDR team illustrates this reality: every detail, from message design to trace concealment, makes the situation increasingly complex.
Initial detection of the attack
The detection of this phishing attack began with an anomaly spotted in the email account of a senior executive of a UK-based insurance company. An unusual deletion rule, entitled “a”, had been created to permanently delete all emails containing a specific keyword related to the sender’s domain. This rule was created from an IP address in the USA, a location that did not correspond to the company’s normal operations. This first sign immediately aroused the suspicions of the security teams.
Analysis revealed that the keyword targeted in the deletion rule corresponded to the domain of the phishing sender. This configuration enabled the attacker to automatically delete all e-mails sent from or to this domain, making it more difficult to detect the intrusion. The fact that this action was carried out from an IP address associated with Microsoft further complicated the investigation, making it more difficult to quickly identify the perpetrator. This type of technique underlines the extent to which attackers use sophisticated methods to cover their tracks while remaining within the bounds of apparent network activity.
The first stages of a phishing attack
A successful phishing attack relies on careful social engineering and complex technical mechanisms. In this case, cybercriminals sent a fraudulent email entitled “ML Payment #05323” to 26 employees of an insurance company. The email appeared to come from the CEO of a major international shipping company, whoseemail account had been compromised. This credible impersonation increased the likelihood of unsuspecting recipients opening the message.
Instead of attaching a conventional PDF file, the attackers inserted a link to a document hosted on an AWS server, giving the appearance of an official Microsoft OneDrive message. Once clicked, this link redirected to a fake Microsoft authentication page entitled “login.siffinance[.]com”. Victims who entered their credentials on this page allowed the attackers to gain immediate access to their accounts. A discreet redirect to the official Microsoft site further reinforced the illusion that nothing unusual had occurred.
The criminals went so far as to use the legitimate Render platform to host certain technical elements of their attack, enabling them to bypass standard security systems. Such use of trusted services is a key feature of modern phishing attacks, designed to evade the radar of automated detection solutions.
Advanced techniques used by attackers
The cybercriminals behind this attack have demonstrated great ingenuity by exploiting a variety of sophisticated techniques to optimize their chances of success while remaining undetected.
Here’s an overview of the methods used:
- Reliable sender address: the fraudulent email appeared to come from a familiar, credible address, reducing recipients’ suspicions.
- Use of legitimate platforms: the malicious PDF was hosted on AWS, and some parts of the attack used Render, trusted services that evade email security filters.
- Russian doll technique: a complex chain of redirects, where each link led to an apparently legitimate page, complicated detection by security systems.
The Russian doll technique: a formidable method
In the context of phishing, this method consists of chaining together several redirection stages via legitimate platforms before reaching the final phishing page. Here’s how it works:
- First layer: the phishing email contains a link that looks legitimate and leads to a recognized platform, such as Google Drive or Dropbox. These platforms are often used to host a document or file.
- Second layer: this document or file contains another link or instruction to access another site or service. For example, the document may invite the user to click on a link to view further details.
- Third layer and beyond: each subsequent redirect leads to another legitimate site or service, reinforcing the impression of security for the user.
- Final phishing page: after several steps, the user arrives at a phishing page designed to look like a trusted login or service interface.
This method is particularly effective in :
- Avoid detection: security services find it difficult to identify phishing if each stage passes through recognized platforms.
- Gaining trust: multiple redirections reinforce the impression of legitimacy for the user.
- Complex analysis: security teams need to examine each redirection point to understand the entire attack.
This strategy demonstrates the ingenuity of cybercriminals to bypass security systems and manipulate users until it’s too late. Phishing is often the first step in a ransomware attack: once credentials have been stolen, attackers can infiltrate the corporate network, deploy malware and block access to critical data. In a survey of 300 French SMEs carried out by Opinion Way for WatchGuard in 2024, 49% said they had been the victim of at least one cyber attack. Phishing and the corruption of business e-mails remain one of the main attack vectors.
Phishing attacks on the rise in 2024
Phishing attacks will experience an alarming upsurge in 2024, according to a report published by email security specialist Egress, with 76% of companies surveyed reporting having suffered at least one phishing attack this year. This steep rise is attributed to the constant evolution of techniques used by cybercriminals, including increasingly sophisticated social engineering techniques. Today, 44% of phishing e-mails originate from compromised accounts, giving their messages a legitimate appearance that is difficult to detect.
At the same time, cybercriminals prefer hyperlinks to attachments. Embedded in the content of e-mails, these links are much more difficult for protection systems to detect . More often than not, they redirect to fraudulent sites meticulously designed to imitate well-known platforms, thus deceiving victims. This strategy enables attackers to evade security devices and make their campaigns more effective.
The above-mentioned Varonis case study perfectly illustrates the effectiveness of the combined use of compromised accounts and malicious hyperlinks. This combination enables cybercriminals to carry out phishing campaigns that are particularly convincing and complex to detect, even for advanced security systems.
Warning signs and what to do
To detect a phishing attack, here are a few clues to pay close attention to:
- Unexpected e-mails with unknown attachments or links.
- Senders claiming to be trusted individuals or organizations.
- Presence of unknown email deletion rules.
- Suspicious redirects after login attempts.
Companies need to act quickly when an attack is suspected: disable compromised accounts, reset passwords and examine access logs to identify unusual activity.
Essential preventive measures
- Regularly train employees to recognize threats.
- Implement advanced security filters.
- Conduct periodic security audits.
- Deploy multi-factor authentication for all sensitive accounts.
Companies must regularly review their cybersecurity strategies. Phishing attack simulations can be organized to test team reactivity and improve detection and response processes.
