Φiriki Intelligence Blog Defending Against Persistent Phishing: A Real-World Case Study By Eynan Lichterman

Defending Against Persistent Phishing: A Real-World Case Study By Eynan Lichterman

One of the scariest acronyms in a CISO’s knowledge base is APT – Advanced Persistent Threat. This term refers to someone determined to harm you and can do so in sophisticated ways. A colleague once taught me that the real threat isn’t just the advanced tools of the adversary, but their persistence. This means the adversary will attempt to hack you over time, using various methods, collecting information, and exploiting multiple technical and human vulnerabilities. It’s truly frightening.

One of our customers has suffered a persistent phishing attack in the last few months. An unknown attacker consistently targets the organization and its employees with semi-targeted phishing attacks. You might think this is just another day at the office, but this situation is unique. The attacker sends emails to a fixed subset of employees, rotating through this group over time. Every few weeks, some employees receive similar phishing emails. The attacker doesn’t give up, and it’s clear they are relentless.

The phishing emails themselves could be more sophisticated. The attacker uses the company name to semi-target the employees, often posing as the HR department or, occasionally, the IT team. Each email includes the employee’s name and typically contains a link as the payload. The emails usually create a medium level of urgency, but we have yet to notice other social engineering techniques like temptation or threats.

Several telltale signs indicate these emails are phishing attempts:

  • The language used in the emails differs from the language the company typically uses (for instance, our customer uses French, but the emails are in English).
  • The sender’s name does not match the company’s naming conventions.
  • The sender’s address tries to mimic the company’s domain but is subtly different (e.g., sender: HR_company_name company_name_byh@201xxx.com, where 201xxx.com is not related to the company).
  • The displayed link text differs from the actual URL.

I assume you get the picture. Of course, we tried to block the sender addresses as a first step, but the attacker changed them with each batch of emails. The domains used were legitimate and did not have a “phishing reputation.” Minor changes were made to the email text each time.

We reported the addresses and added the Indicators of Compromise (IOCs) to the customer’s protection mechanisms, but the emails kept coming through. What’s my takeaway? While we rely on technology for defense, every tool has its limitations. The most adaptable defense mechanism is human awarenessEmployees who can identify and report phishing attempts are our best line of defense.

Here’s what we did to enhance this awareness:

  • Consistently conducted awareness campaigns using traditional knowledge transfer methods.
  • Empowered employees by using continuous phishing simulation tools.
  • Simulated attacks and included the signs in our learning materials.
  • Added lessons learned from this and similar attacks to all types of campaigns (awareness and phishing simulations), mimicking this campaign.
  • Published messages to all employees with unique IOCs when a new campaign was detected, asking them to be vigilant and report anything suspicious.
  • Used the first campaign as an opportunity to test our cybersecurity emergency procedures.
  • Created an easy reporting method embedded in the employees’ desktop environment.
  • Provided updates to employees who reported phishing attempts, showing them we take their reports seriously.
  • The IT team updated our suppliers and reported the domain and IP address involved in the attacks.