Coronavirus: it’s what every news outlet and person is talking about. With the outbreak of the infection, people want to stay up to date on the latest news and reports, so they’re looking up data and clicking on links to outbound websites.
They’re also getting a lot of inbound content related to coronavirus: emails with healthcare best practices from internal employees, confirmation from trade shows on whether or not the events are getting cancelled, and updates from organizations they are a part of.
But just as importantly, they’re also getting emails from threat actors leveraging the hottest news — taking advantage of our interest in learning about and following this deadly infection. It’s common practice for these threat actors to leverage current events to compromise people. For example, tax season recently gave hackers the annual opportunity to commit fraud and steal people’s returns, and this type of threat activity is seen each year during the holiday shopping season, election season, and more. This is simply the latest example of this strategy.
For instance, there are already a number of threat research and intelligence reports published that demonstrate real-world examples of phishing emails posing as authoritative sources on the subject (e.g., the Centers for Disease Control and Prevention) or individuals supposedly sharing industry-specific updates on the subject. Here are a few good, publicly available writeups showcasing some examples:
- Kaspersky: Coronavirus Phishing
- Check Point: Update: Coronavirus-Themed Domains 50% More Likely to be Malicious than Other Domains
- Proofpoint: Coronavirus-Themed Attacks Target Shipping Concerns
Why This is an Opportunity for Hackers
Fortunately, at LogRhythm, we haven’t had any employees fall victim to coronavirus phishing. We have, however, seen almost 1,400 emails within four days with subject lines that included a variant of “coronavirus.” Several of those emails were identified as malware and phishing, with an additional several hundred marked as spam. And while the majority of these came from external senders, hundreds were supposedly from “LogRhythm.”
The amount of content combined with the thirst for knowledge could very easily set the stage for a phishing attack. People are wanting and expecting to receive information on the subject from both internal and external senders — so what’s one more email? The number of legitimate emails coming in gives phishing emails the opportunity to easily hide in plain sight.
Best Practices to Thwart Phishing Attempts
Identifying Phishing Emails
Be vigilant knowing that coronavirus is a known subject being used to compromise you, and please follow some best practices to stay on the lookout for identifying phishing emails. Eric Brown, a senior security analyst at LogRhythm, recently shared the following tips during a webinar about trending phishing techniques:
1. Were you expecting the email?
If you weren’t expecting to receive an email, this alone should raise your suspicion.
2. Is the message from a recognized or known domain/sender (email address)?
In other words, is it coming from a domain or business you recognize? If not, it should be confirmed as a legitimate message prior to responding to or clicking within it.
3. Does the email contain links or attachments?
We receive and send emails all the time. If you don’t normally share or receive links or attachments in emails and suddenly start receiving them, you should exercise additional caution with that message.
4. Was the email sent/received during normal business hours?
A lot of phishing attacks are initiated from around the world, meaning the attacker might be working while you’re sleeping. If you receive an email at a strange or late hour, like 3:00 a.m., this could be a sign that it’s from an untrustworthy source.
Security awareness is crucial at this time, and we encourage you to help your peers stay vigilant. Share the above tips with others, and for more free, easily shareable security awareness resources, check out our infographic about how to detect phishing emails and our phishing awareness posters for use at your office.
Protecting Your Office 365 Environment
There are also more specific security best practices you can employ depending on the types of technology you use. Office 365 is prevalent in business environments, so I’m sure a lot of you reading this use it as well. Since we’re an Office 365 customer ourselves, we’ve written various blog posts on it related to security. Here are a few best practices — some new and some that we’ve shared before:
1. Monitor your Azure Active Directory audit and sign-in logs
Azure Active Directory supports both Office 365 and Azure, and its logs include a variety of useful metadata about senders and message content. By monitoring these logs, you can easily access this metadata, which includes information like User (Origin), Session Type, Severity, and Threat Name.
2. Disable remote PowerShell for normal users
Remote PowerShell is very useful for administrators, but if it falls into the wrong hands, it can easily be used for malicious activities. For example, if a threat actor successfully compromises an account with remote PowerShell enabled, the actor could then use it to automate account compromise.
3. Take advantage of all security features available
Office 365 has a number of helpful security features that can help thwart phishing attacks, yet they aren’t taken advantage of. For example, Office 365 customers can enable a rule that blocks any email in which the display name doesn’t match the domain address. The display name might look legitimate (e.g., James Carder), while the domain name clearly isn’t (e.g., firstname.lastname@example.org). Employing this rule means that any email with a display name and domain address that don’t match never make it to the recipient’s inbox — stopping a phishing attack before it even has the chance to do damage.
Lack of adoption could simply be due to awareness. To familiarize yourself with all features available, review this section of Microsoft’s documentation.
Tips for LogRhythm Customers
And if you’re a LogRhythm customer, you can take monitoring for, alerting on, and investigating phishing attempts even further. To do so, we recommend implementing the following:
1. Log collection from your email security products
Even if you’ve already enabled log collection from your email security products, it’s still worth double-checking that you’re sending all the information you want and need. This will ensure that your LogRhythm SIEM is analyzing and correlating against all information available, and you’re taking advantage of as many automated remediation actions as possible. And remember: data volume isn’t an issue with LogRhythm; we allow you to send as much data to the platform as you’d like, without any limitations.
2. The MITRE ATT&CK® Module
If you’re not familiar with ATT&CK, it’s described as “a curated knowledge base and model for cyber adversary behavior.” We have a module freely available to all LogRhythm customers with pre-created AI Engine rules specifically designed to detect various ATT&CK behaviors, and several of these address tactics, techniques, and procedures (TTPs) related to phishing. Examples of these techniques you can identify with the module and their ATT&CK descriptions include:
- Spearphishing Attachment (T1193): “All forms of spearphishing are electronically delivered social engineering targeted at a specific individual, company, or industry. In this scenario, adversaries attach a file to the spearphishing email and usually rely upon User Execution to gain execution.”
- Scripting (T1064): “Scripts can be embedded inside Office documents as macros that can be set to execute when files used in Spearphishing Attachment and other types of spearphishing are opened.”
- Masquerading (T1036): “Masquerading occurs when the name or location of an executable, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation…[One] variant uses the right-to-left override (RTLO or RLO) character (U+202E) as a means of tricking a user into executing what they think is a benign file type but is actually executable code…A common use of this technique is with spearphishing attachments since it can trick both end users and defenders if they are not aware of how their tools display and render the RTLO character.”
3. LogRhythm TrueIdentity™
LogRhythm TrueIdentity™ maps disparate user accounts and related identifiers to build a comprehensive baseline of a user’s actual identity. By baselining a user’s profile and comparing that activity to the individual’s peers, you can rapidly surface anomalous behavior for qualification and investigation.
4. LogRhythm Threat Intelligence Services (TIS)
TIS integrates threat data from commercial and open-source threat feeds — including any STIX feed from a TAXII server — which can be used to correlate against activities in your environment. Implementing TIS will help ensure you’re taking advantage of the most up-to-date phishing-related threat intel available.
The Tools You Need to Protect Yourself
As you can see in the list of best practices above, there’s not just one tool you can — or should — use to defend yourself against phishing attacks. Naturally, SIEM plays a big role in this, as you need to be able to monitor all of your data in one place, correlate it against other data, apply threat intelligence to it, etc. We also believe that SIEM works best when used in combination with other technologies and initiatives, like endpoint protection tools, network control solutions, and even security awareness programs.
We practice this at LogRhythm. The LogRhythm SIEM serves as the backbone of our security posture, but we also rely on other tools. Some of those are tools we’ve designed — like our free, open-source Phishing Intelligence Engine (PIE) to automatically detect and report phishing attacks — and some we’ve integrated from other providers. Realistically if you want to meaningfully improve your security operations, you need to implement different tools that accomplish different goals — of course, without taking on so many that you can’t manage them. If you’re having trouble balancing this, contact us; we’re here to help.
Be Vigilant. Stay Safe.
The coronavirus outbreak is one of those unique situations in that it is truly global. Everyone around the world is thinking, talking, learning, and worrying about it at the same time, and they all want to protect themselves from it.
Threat actors know they can capitalize on this curiosity and fear, and so it especially important at this time to remain vigilant when reviewing the messages you receive. Employ the best practices above, and if you have any other go-to tips to stay safe from phishing attempts, please share them in the comments section.