Guest Post: Darktrace Email Finds: Two WeTransfer Impersonation Attacks Caught By AI

By: Dan Fien, Director of Email Security Products for the Americas, Darktrace

In recent months, Antigena Email has seen a surge in email attacks claiming to be from file sharing site WeTransfer. These attacks attempt to deploy malware into a recipient’s device and further infiltrate an organization. 

This is a common technique deployed by attackers, who find success in masquerading behind the trusted brands of well-known SaaS vendors. Darktrace has recently seen similar attacks leveraging both QuickBooks and Microsoft Teams

Incident one

This email was directed at an employee in the accounts department of a leading financial services organization in the APAC region. 

Figure 1: An interactive snapshot of Antigena Email’s user interface.

The subject line of this email – “We sent you an invoice via WeTransfer” – is typical of a solicitation attack. Hidden behind a button reading ‘Get your files’ was a webpage that contained malware but displayed a login page. If a user entered their username and password in an attempt to access this ‘invoice’, the malware would harvest their credentials and send them to the attacker.

Figure 2: The fake login page, branded as Microsoft Excel, which would have likely sent the credentials to a spreadsheet controlled by the attacker.

This attack bypassed the other security tools in place, but was detected by Antigena Email due to a number of anomalies that when stitched together unmistakably reveal a threat.

Figure 3: Antigena Email’s dashboard reveals the true sender of the email.

Critical for Antigena Email’s detection of this attack was that the email contained an anomalous link. It would be highly unusual for WeTransfer to link to SharePoint – a direct competitor – in their emails. The AI also recognized that neither the employee in the accounting department, nor anyone else in the organization, had previously visited the domain in question, and deemed this email to be 100% anomalous. These details, along with other characteristics of the URL, gave Darktrace’s AI reason to tag this email with the ‘suspicious link’ tag, prompting Antigena Email to double lock the offending link and hold the message back from the recipient’s inbox.

Incident two

A second incident leveraging WeTransfer’s name was detected just a week later at a law firm in Europe. This email was more sophisticated and even more convincing, appearing to come from the legitimate WeTransfer domain. However, it still set off over a dozen Darktrace models, again prompting Antigena to lock links and hold the email back.

Figure 4: An interactive UI snapshot of the second email.

This attack went a step further. Whereas in the previous scenario the attacker simply changed the personal name, leveraging <noreply[.]com>, here the attacker manipulated the headers to make the email appear to come from the WeTransfer domain. 

Recent research that will be further unveiled at BlackHat indicates there could be as many as 18 different methods to mislead common email verification checks like Domain Keys Identified Mail (DKIM) and Domain-based Message Authentication, Reporting and Conformance (DMARC). Some of these techniques may be as simple as including two FROM lines in an email header, which may result in a mail server verifying the first FROM header while the email client displays the second FROM address. As a result, an email sent from an attacker’s mail server can be verified as coming from a legitimate address – in this case <noreply@wetransfer[.]com.

The familiarity of the apparent sender of this email is reflected in the ‘Depth’ and ‘Width’ scores below of 19 and 47 respectively, indicating moderate communication history. However, Antigena Email reveals that the true sender is from a rare domain, and one that is unrelated to WeTransfer.

Figure 6: The metrics of the second email.

Darktrace’s AI also detected two suspicious links within the email that were considered highly anomalous given previous communication between WeTransfer and the client. And importantly – the absence of a WeTransfer link!

Figure 7: Two links in the email were considered highly anomalous and threatening

These unusual links combined with the recognition of a spoofing attempt prompted Antigena Email to deem this email as 100% anomalous and intervene, protecting the recipient — and business — from harm. Despite this second email attack employing more sophisticated attack methods, allowing it to evade legacy email tools and closely resembling a legitimate email, Darktrace’s AI was able to recognize an even wider array of indicators that prompted it to hold the email back.

To learn more about Antigena Email, click here >

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: