The tools hackers use to evade email security

Egress | 15th Sep 2022

Once hackers have chosen their victims and crafted their attack, they must figure out how to successfully evade the email security defenses of their targets. 

Our recent report, ‘How to turn a hacker’s toolkit against them’, discusses the mechanisms hackers use to investigate targets, plan out an attack, and ultimately trick people into handing over sensitive information. 

This article outlines some tools hackers use to evade email security, so you can ensure that your organization has the right precautions. 

Impersonating trusted individuals 

Email credentials are highly sought after by criminals because attacks carried out by legitimate email accounts are more likely to be able to evade detection by email security. Once hackers get their hands on someone’s credentials, they typically sell them to other criminals or use them to impersonate trusted individuals to carry out further attacks.

Accounts of high-profile figures such as politicians, activists, or CEOs are often prime targets, as these figures have a significant amount of influence and authority, and phishing attempts sent from these accounts are more likely to be successful. 

Hackers can gain access to these credentials in many ways. Some examples include phishing scams, data breaches, using unsecured public WiFi networks, guessing simple passwords, and taking advantage of someone forgetting to log out after using a public computer. 

Hackers may use other tricks to impersonate trusted individuals if they cannot access a compromised account. For instance, they can enter fake details into Microsoft Azure Active Directory (Azure AD) to impersonate a specific person. Outlook then finds these details in Azure AD and assigns them to the email. This makes the email look authentic and increases the chance of an attack being successful. 

Creating many burner email addresses

Burner email addresses can be set up quickly and easily. They are often used by people who want to avoid their email addresses being used for spam services. Once these addresses have served their purpose, they can be quickly deleted. Some services will even automatically render the addresses invalid after 10 minutes. 

Hackers use burner email addresses to quickly send out high volumes of emails while avoiding detection. This method is less effective than other methods, as email security often considers these email addresses suspicious. However, it is still widely used because these burner addresses are cheap and easy to create.

Targeting customer relationship management (CRM) platforms 

CRM platforms contain a huge amount of data about an organization’s relationships between vendors, suppliers, and customers. It can also provide a significant amount of information about an organization’s hierarchy and – most notably – who is responsible for payments. 

As a result, many cybercriminals will target CRM platforms that B2B companies typically use to avoid detection and target other organizations.

For instance, in May 2021, a group known as ‘NOBELIUM’ breached the mass-mailing service ‘Constant Contact’ to send official-looking emails containing malicious links to over 3,000 accounts across 150 organizations. These emails displayed a “usaid.gov” ID as the sender, which tricked recipients into believing it was legitimate. 

How to defend against the delivery stage

No matter how many defenses organizations put in place, preventing every security breach is impossible. However, reducing the level of human error that leads to these breaches is possible. Do this by offering regular security awareness training (SAT) to help people understand what a phishing email might look like and how they should react if they think they might have been the victim of a phishing attack.

Reinforce this training by using email security software that flags suspicious emails and adds specific information that clearly explains why the email has been flagged as suspicious – e.g., Sender Policy Framework (SPF), header analysis, and sender reputation checks. This software will not flag every suspicious email, so caution is still required – for example, detecting an email from a compromised account can be extremely difficult. 

The key takeaway is that no single type of technology should be relied on in the delivery stage. Instead, technology should be used with frequent SAT training to empower employees to take control of their security. 

Discover the full hacker’s toolkit

Delivery is just one of the steps in the cyber kill chain. Learn how attackers use the hacker’s toolkit to weaponize and deliver phishing emails in the full report. Download yours for free.