Request a Demo of Tessian Today.

Automatically stop data breaches and security threats caused by employees on email. Powered by machine learning, Tessian detects anomalies in real-time, integrating seamlessly with your email environment within minutes and starting protection in a day. Provides you with unparalleled visibility into human security risks to remediate threats and ensure compliance.

Move beyond your SEG with Tessian’s SEG Consolidation Wizard  | Generate Report Now →

Beyond the SEG / Microsoft + Tessian, Advanced Email Threats
Tessian in Action: This Attack Got Through a SEG and M365, but Not Tessian.
by Tessian Threat Engineering Group Tuesday, March 28th, 2023
Cyber attacks are getting more sophisticated and more targeted. In this Tessian in Action update we explore how an attack got through legacy security solutions, but not Tessian.  Legacy security solutions just aren’t able to combat advanced threats over email the way that Integrated Cloud Email Solutions can. At Tessian, we’re seeing more and more attacks bypass traditional secure email gateways only to be stopped by our platform. The attack below sailed right through the client’s SEG and their Microsoft 365 defenses, only to be flagged by Tessian. The client, a medical firm, handles highly sensitive data and personal identifiable information. Fines from PII data breaches can be huge. In February 2023 Arizona-based Banner Health was fined $1,250,000 following a 2016 breach.
The target of the attack The attackers had clearly done their research, as this attack was specifically targeted at the client’s Chief Legal Officer, and one other senior member of the legal team. They were both targeted with a malicious URL sent from a look alike domain. The timing of the attack was 12-1 UTC, which was in the morning of the client’s location, perhaps in an attempt to catch them early and be top of their inbox.  Stopped dead in its tracks This attack was able to get past the client’s SEG and MS365 but Tessian flagged it as an impersonation attack. Tessian also identified the URL as malicious, and the fact it was a first time sender. Tessian’s Behavioral Intelligence models detected additional anomalies increasing our confidence score to 100/100. Consequently, this email never reached either of the recipients. The security team at the organization are well aware that attacks against their exec team can have devastating consequences. In fact, the security team that highlighted this attack to Tessian are highly active with the Tessian portal, and so quarantined it themselves, but had they not, Tessian Defender would have hard-quarantined this email or displayed a warning message to end users, coaching them and raising their security awareness ‘in the moment’.  It’s situations exactly like this that more and more firms are facing. Tessian was built exactly to stop these kinds of highly targeted attacks that slip by existing and legacy solutions. If you’d like to see how Tessian can better protect your organization, find out more with our Microsoft + Tessian Solutions Guide.
Read Blog Post
Advanced Email Threats
Tessian in Action: Phishing Attack Sends Credentials to Telegram
by Tessian Threat Engineering Group Monday, March 27th, 2023
Contributors : Catalin Giana & Razvan Olteanu In this example of Tessian in Action members of our Threat Intel Team saw this Microsoft credential attack target several of Tessian’s customers. There are four interesting things to note in this attack.  There was a zipped set of password instructions attached Within that was HTML that hid obfuscated Javascript which forwarded to a credential harvesting site The attack had a custom sender name for each individual attack Any successfully captured credentials were forwarded to Telegram. Here’s how the attack sequence worked. The email came as a Microsoft impersonating campaign with a zip file attached containing password instructions. Much like a sealed present, the hope was that the user would unpack the zip file to see what was in it, believing it to be legitimate.  
The copy in the email backs this up by specifically asking the user to unzip and follow the instructions within. There’s also an implied sense of urgency about the account expiring in the next 24 hours, which is further encouragement for the user to act.  It’s worth noting the ‘in the moment’ warning provided by Tessian at the top of the email here. Tessian adds custom warnings like this to Outlook (it looks a little different for gmail) to provide ‘in-the-moment’ security awareness for end users. Depending on how you have Tessian configured, and what our confidence score of threats are, we can either hard quarantine (as we did in this case) or add a warning and release to the user. You can see more on how Tessian protects against threats like these here. Upon downloading and unzipping the archive the team found malicious HTML. When executed it shows that it loads something from Microsoft Sharepoint which finally redirects to a Microsoft login phishing page.
Adding user credentials causes a script to execute which then queries, to determine the IP address. It then attempts to pass the response along with the password entered directly to a telegram group using Telegram’s api.
Let’s look now at that HTML in detail.  Original form: The html contains multiple chunks of base64-encoded Javascript that needs decoding manually and concatenating in order to find the original script. Doing that reveals a new obfuscated Javascript that is hex-encoded and has appended some base64 code at the end.
After removing the hex code character and adding all the other base64 encoded chunks the original script looks like this.
Read Blog Post
Beyond the SEG / Microsoft + Tessian, Threat Stories, Advanced Email Threats
Tessian in Action: Microsoft Credential Scraping Attempt
by Tessian Threat Engineering Group Monday, March 20th, 2023
Recently Tessian’s Threat Engineering Group identified an emerging threat detected by Tessian Defender targeting around 45 of our customers. The campaign was an email credential harvesting attack and was not detected by Microsoft Exchange Online Protection (EOP) when the attack began.  Anatomy of the attack The attack email was able to bypass legacy security solutions, like secure email gateways, as well as Microsoft 365. Let’s explore some of the reasons why it was able to do that: Firstly, the email was ‘sent’ by Amazon Simple Email Service (SES), which is a common tool leveraged by attackers to send automated attacks. However, the display name impersonated the company being targeted, no doubt attempting to add legitimacy, • The display name was actually dynamically generated, taking the first three letters of the recipient address and pretending to be the company name. • This is done to avoid basic aggregation and detection methods by secure email gateways and native security controls of email providers. • Looking at the subject of the email, it’s fairly innocuous, and again a rule in a SEG to flag the word ‘payment’ would trigger hundreds of false positives. • Finally, the body of the email itself is benign, simply stating “Please consider the environment before printing this email”. If anything, the attack attempt is a little too spartan in content, which might have raised suspicions in the user that received it.
Let’s now look at the HTM attachment, which contains JavaScript, which is encoded (below)
And when decoded twice it looks like this. Note that some of the content is still encoded.
All this encoding and obfuscation is attempting to hide the fact that the script redirects the user to a credential harvesting form. The form is hosted on a domain registered one day before the first phishing email was seen on the Tessian network. What’s more, to add legitimacy, the customer’s logo is hosted at the top of the form. Remember, this attack went to several organizations, so the logo must be dynamic. It’s therefore likely that it was scraped by the attacker using automated tooling. The user the “username” field is already pre-populated with the recipient’s email address. Again, adding legitimacy and lower the amount of effort for the recipient to share their password. Finally, when the password is entered, it is posted to a PHP script hosted on the same domain.
How did Tessian Defender detect this threat? So how did Tessian Defender stop this threat when SEGs and Microsoft 365 didn’t? Well, as well as detecting unusual file characteristics, Tessian’s Behavioural Intelligence models detected additional anomalies increasing our confidence score to 100/100. They are as follows:   The recipient company name was used in the display name.  The recipient has no historical relationship with the sender. Multiple emails were sent to each customer in a short period of time, to unconnected employees, this is known as a bust attack.  Tessian’s Natural Language Processing (NLP) models classified the email as being payments-related Depending on the specific customer configuration, Tessian Defender either hard-quarantined this email or displayed the following warning message to end users, coaching them and raising their security awareness
Indicators of Compromise (IOCs) Tessian Threat Engineering Group reacted to add the below IOCs to the Tessian Unified Threat Interface. We recommend readers do the same Sender Address: jorgezamora@powderiverdev[.]com Credential Harvesting Site Domain: https://emdghouseltd4[.]pro
Contributors: Ed Bishop and Catalin Giana.
Read Blog Post
Attack Types, Threat Stories, Advanced Email Threats
Dozens of SVB and HSBC-themed URLs Registered
by Tessian Threat Engineering Group Wednesday, March 15th, 2023
As we explored 48 hours ago, the recent turbulence in the banking sector provided a potential opportunity for threat actors to launch attacks. So it comes as no surprise that we’re starting to see domains spun up for just such purposes. Tessian’s Threat Intel Team have been monitoring the situation as it unfolds, and found that multiple domains featuring both SVB and HSBC were registered. Malicious domains are being added to Tessian’s Unified Threat Feed to proactively protect our customers from future phishing attacks. What is interesting about this is that some are for legitimate, if a little unorthodox, activities like driving traffic, marketing and selling merchandise. It’s in this ‘fog of war’ that bad actors like to hide, and clearly some have been registered with attacks in mind. So let’s look at those first.  Siiiconvalleybank[.]com and siliconvalleybonk[.]com have clearly been set up to launch impersonation attacks, hoping people don’t notice those typos in the URLS. Other examples include myaccount-hsbc[.]com and thesiliconvalleybank[.]com. Meanwhile Svb-usdc[.]com and svb-usdc[.]net are both already set up to launch phishing attacks.
Google is already blocking these and alerts any visitors to that effect. Exploring beyond that warning reveals a ‘lookalike’ site offering a reward program and clicking ‘claim’ opens a QR code.
Fake URLs to drive traffic Some of the newly registered URLs are also being used to drive traffic.[.]in uses HSBC brand in order to gain more traffic for an Indian-based website with adult content. Meanwhile SVBlogin[.]com loads up All Day Capital Partners website offering to ‘help’ SVB customers. Many of the others are cybersquatting, no doubt hoping to sell on, while others registered but don’t contain any content or redirect, as if waiting to see how things pan out. Perhaps one of the oddest is svbbankrun2023[.]com, which hosts a merchandise shop selling SVB-themed items.  
Tessian Recommends: The following list should be used as a blocklist at your own risk, but we advise adding the newly registered domains on a watchlist for monitoring purposes. Here’s a full list of SVB and HSBC URLs we’ve documented so far.    Hsbcsvb[.]com Siiiconvalleybank[.]com Login-svb[.]com Svbankcollapseclaimants[.]com Svbankcollapselawsuit[.]com Svblawsuits[.]com[.]in Svbanklegal[.]com Svbankcollapse[.]com Svbankcollapseclaims[.]com siliconvalleybankfilm[.]com siliconvalleybankcrash[.]com siliconvalleybankcollaps[.]com siliconvalleybankcolapse[.]com siliconvalleyfederalbank[.]us silliconvalley[.]ink siliconvalleyfederalbank[.]net siliconvalleybank-usdc[.]com siliconvalleybonk[.]com ziliconvalley[.]sk siliconvalleybankcustomerservice[.]com siliconvalleybankhelp[.]com siliconvalleyentrepreneursbank[.]com siliconvalleybankcreditors[.]com siliconvalleyentrepreneurbank[.]com siliconvalleybankclasaction[.]com wwwsiliconvalleybankclassaction[.]com siliconvalleybankfailures[.]com siliconvalleybanksettlement[.]com siliconvalleybank[.]xyz siliconvalleybank[.]lol siliconvalleyfederalbank[.]biz siliconvalleyfederalbank[.]lol siliconvalleybankmovie[.]com siliconvalleybank[.]biz siliconvalleybn[.]com siliconvalleybanklawsuit[.]com siliconvalleybankclassaction[.]com siliconvalleybankreceivershipcertificate[.]com siliconvalleybankcollapse[.]com siliconvalleybust[.]com svbbankrun2023[.]com svbalternative[.]com svbankclassaction[.]com svbanklawsuit[.]com svb-cash[.]com svbfdic[.]com svbwiki[.]com svbcollapseexplained[.]com banksvb[.]com svbcollapse[.]net svbbailout[.]org fucksvb[.]com svbcoin[.]xyz svbchain[.]xyz svb-usdc[.]com svb-usdc[.]net svbfailure[.]com svbopenletter[.]com svbplaintiffs[.]com svbinfo[.]com svbbankrun[.]com svbrecovery[.]com svbmeltdown[.]fyi wefundsvbclients[.]com svbreceivership[.]com svblogin[.]com svbcollapse[.]com svbclaim[.]com svbdebt[.]com svbclaims[.]net svbbailout[.]com svbi[.]io svbank[.]com hsbcbdubai[.]com hsbc079[.]com hsbc757[.]com Hsbc736[.]com hsbc119[.]com hsbc719[.]com hsbc938[.]com Hsbc891[.]com Hsbc-premium[.]com Hsbckyc[.]com Hsbclogin[.]co Myaccount-hsbc[.]com Thesiliconvalleybank[.]com 1svb[.]com Circle-svb[.]com Svb2023[.]com Svbgate[.]com Svbtoken[.]com Svbnfts[.]com whatissvb[.]com
Read Blog Post
Attack Types, Threat Stories, Advanced Email Threats
The Current SVB Banking Crisis Will Increase Cyberattacks, Here’s How to Prepare
by Tessian Threat Engineering Group Monday, March 13th, 2023
The recent banking turmoil involving Silicon Valley Bank and Signature Bank sent shockwaves through technology firms globally as they scrambled to transfer their capital, secure payroll, and pay their bills. However, this mass changeover in banking details is exactly the situation that breeds targeted cyberattacks. Although the swift intervention of The Federal Reserve, The Bank of England, HSBC and others helped calm the liquidity crisis, a cyber threat crisis is likely now brewing as threat actors spin up a host of impersonation attacks and campaigns. The Tessian Threat Intel Team has already seen dozens of SVB and HSBC-themed URLs registered, some of which are used to launch phishing campaigns. 
Money, distraction, urgency Bad actors are driven by money. And there is a lot of money at play with this crisis. The streaming firm Roku indicated it has about $487 million in deposits at SVB. They are likely making changes now to diversify where they deposit this money and, accordingly, updating wiring instructions to reflect these new banking relationships. In their Q4 Risk Insights index, Corvus Insurance indicated 28% of all claims in Q4 2022 were due to fraudulent funds transfers. Threat actors relish the confusion and rapid changes that come with a crisis like this. The sheer number of updates to wiring instructions increases the chances that standard operating procedures around changing wiring instructions are ignored. Common operating procedures around changing wiring instructions might include (a) verifying the authenticity of each request by calling the person (using a known, existing phone number, not one provided in a new email) (b) implementing a call-back verification system for each vendor when any wiring instructions are changed, and (c) implementing dual control and multiple “eyes” on every wire change request. Tessian is already seeing genuine email traffic related to changing wiring instructions and expects to see advanced attacks leveraging this crisis soon. Finally, the scale of this crisis is huge and information about it is widespread. There are a large number of affected entities – Reuters published a list detailing not only the firms affected but their financial exposure – ensuring a target rich environment for the bad guys.
Fraudulent (and genuine) wire transfers The top 2 common attack vectors with fraudulent funds transfers are (1) impersonation attacks and (2) targeted phishing attacks. In an impersonation attack, the bad actor impersonates someone or some company that is known to the organization. They will typically do this by registering a new domain name that is largely similar to the targeted company’s domain.
In this example, the attacker registered a new domain name ( which looks similar to They are reaching out to the finance department at Acme to request a change in bank accounts for future payments. Sophisticated attackers will conduct research using publicly available information (10-K annual reports, LinkedIn blog posts, LinkedIn connections to the CFO or Accounts payable personnel, and any website mentions) to build a convincing approach.  A targeted phishing attack would use similar impersonation methods while attempting to gain access – either electronically with a username and password or via socially engineered approach – to implement a fraudulent funds transfer. In the below example, the attacker is impersonating a known, trusted domain and attempting to gain access to an accounts payable employee. 
Recommended next steps Tessian’s Threat Engineering teams are monitoring our datasets closely for emergent threat signals and updating Tessian’s Global Threat Library and Behavioral Intelligence Model in response. Our existing Defender customers will automatically benefit from this protection. In addition, we are recommending the following steps to further protect our existing customers: Deployment hygiene: review your deployment coverage to ensure Defender’s protection is configured to apply to all mailboxes on all devices. Schedule a deployment health-check.  Enable warnings for money requests: for additional protection, Defender Customers can leverage Defender’s Custom Protection to detect and warn users when an email “requests money”.  Reinforce approval processes: work with your finance teams to revise and review your payment approval workflows, and consider adding an additional internal verification layer to account for the increased risk 
How Tessian stops wire fraud attacks Built ready: The SVB crisis and other events like this are exactly the sort of thing Tessian was built to handle. Tessian covers fraudulent fund transfer attacks and other scenarios that are difficult to detect and that are often missed by legacy email security tools. Tessian is built to detect and prevent any variations of wire fraud attacks.
Spotting imposters: Tessian catches thread hijacking attempts by looking for subtle indications of domain spoofing and small changes in behavior that suggest the sender isn’t who they say they are.  Custom protection: All Tessian customers have access to an additional layer of protection that allows them to educate users at the point of receiving a suspicious email including those involving fraudulent funds transfers. Defender’s Custom Protection gives organizations an additional layer of security by alerting users when an email triggers specified conditions. This provides further fine tuning around threats specific to your organization or specific groups within your organization.
Proactive defense: As this situation evolves, Tessian’s Threat Engineering Team are closely monitoring incoming emails for new phishing tactics and upward trends in existing ones, continuously improving the breadth and accuracy of the protection we provide to our customers. Our threat intelligence team can also respond to new phishing campaigns in a matter of minutes by updating our global threat library, ensuring that all of our customers are protected against malicious sender domains and URLs. Guidance: While we may see more basic attacks leveraging the SVB crisis initially, threat actors will quickly evolve in sophistication to take advantage of the sheer volume of wire changes occurring to better target organizations. Legacy email security tools that use rules and policies are more likely to miss these attacks or report large numbers of false positives. Tessian’s guidance to our customers and anyone else is to expect a significant uptick in volume and in quality (more convincing) attacks on your employees over the coming weeks and months. See Defender in action (video) or request a free trial of Tessian to start detecting wire fraud attacks today.
Read Blog Post
Beyond the SEG / Microsoft + Tessian, Advanced Email Threats
Why You Should Download the Microsoft 365 + Tessian Guide
by Bob Boyle Thursday, March 9th, 2023
With Business Email Compromise (BEC) attacks remaining the number one cybercrime in 2022, and 82% of data breaches involving humans – email continues to be the largest threat vector for any organization. The effectiveness of legacy gateway solutions like Proofpoint, Ironport, and Mimecast has come under scrutiny as organizations look to solve new security concerns in a cloud-first world. Organizations that have already begun adopting cloud-hosted productivity suites, like Microsoft 365, are finding an overlap in their native-security capabilities, which legacy email security solutions have traditionally addressed.  Microsoft has made significant strides in improving the native-security features built into their different licensing models. This allows security leaders to reduce cost and complexity within their security stack, as the email security capabilities offered by Microsoft 365 mirror that of a Secure Email Gateway (SEG):  Traditional Email Security URL & Attachment Protection Manual Investigation & Response Rule-Based DLP Policies  These overlapping capabilities have given security leaders a good enough option to move beyond legacy SEGs, but understanding what is included within each Microsoft licensing model is key to effectively securing an organization’s email environment. Microsoft offers various packaging bundles and add-ons, allowing flexibility for security leaders to maintain the same level of protection offered by their legacy gateway solutions.
Is good enough really good enough?  The global shift to a remote workforce has also opened up new threat vectors and emerging attack types that security leaders are still struggling to prevent. Round-the-clock access to sensitive data has increased the human risk of malicious, negligent, and accidental data loss. Attackers are leveraging social engineering to trick end-users by abusing trusted relationships. Relying solely on traditional detection methods to defend against advanced attacks and rule-based policies to protect against insider risk, is leaving organizations more vulnerable than ever before.  A more intelligent approach is needed. Organizations can continue to rely on traditional detection methods to filter out bulk phishing and spam, but simply put, scanning for malicious signatures based on known threat intelligence doesn’t stop the advanced threats that security leaders face today.
There is, however, a solution. The advanced detection capabilities of an Integrated Cloud Email Security (ICES) solution close the gaps where legacy, rule-based detection or current Microsoft tools fall short. ICES solutions employ advanced machine learning to map an organization’s typical email behavior and detect unusual communication patterns, providing a more accurate defence against BEC attacks. In addition, ICES solutions can warn end-users of potential misdirected emails or instances of sensitive data loss.
In this Solution Guide, we discuss the decline of legacy gateway solutions, how to reduce cost & complexity by migrating to Microsoft 365, and what email security capabilities are available in each Microsoft licensing package. In the end, readers will understand how Tessian + Microsoft 365 enables the most complete Integrated Cloud Email Security platform.
Read Blog Post
Compliance, Advanced Email Threats
Will Australia’s Tougher Cyber Regulation Force Firms to Upgrade Their Security?
by Andrew Webb Friday, March 3rd, 2023
2023 saw several shifts around the world in data privacy laws. But by far the biggest is the news that the Australian authorities have increased penalties for data breaches following a spate of major cyberattacks.  Australian firms are facing a hacking ‘pile on’ as threat actors find relatively few sophisticated defenses and an undersized and overstretched cybersecurity workforce to stop them. The Australian cybersecurity minister, Clare O’Neil, has warned of a new world “under relentless cyber-attack” as Australia’s security agencies scramble to stop the latest ransomware attacks.  This is exacerbated by a country-wide lack of skilled security professionals across all disciplines which, according to the latest research, is nearing crisis levels. Finally, Australia isn’t immune to global pressures like the post-pandemic shift to remote working which has only increased the attack surface.
Previous attempts to address the issue It’s not like the Australian Government has been sitting on its thumbs over the issue. In 2016, the government released its first Cyber Security Strategy, which included investments in cybersecurity research and development, increased collaboration between government and industry, and the establishment of the Australian Cyber Security Centre (ACSC). The ACSC is a key element of Australia’s cybersecurity infrastructure and provides a range of services to government agencies and businesses, including threat intelligence, incident response, and advice on cybersecurity best practices. The ACSC also works with international partners to share information and collaborate on cybersecurity initiatives. The Australian government has also introduced legislation aimed at improving cybersecurity. The Security of Critical Infrastructure Act 2018 requires owners and operators of critical infrastructure to report cyber incidents to the government, while the Telecommunications and Other Legislation Amendment (Assistance and Access) Act 2018 provides law enforcement agencies with greater powers to access encrypted communications.
Australian privacy breach fines just got a whole lot bigger The new bill aims to increase fines from a current maximum of AU$ 2.22 million (USD$ 1.4m) to whichever of the following is greater; AU$50 million (USD$ 34m), three times the value of any benefit obtained through the misuse of information, or 30% of a company’s adjusted turnover in the relevant period. That’s a significant increase on the old fine and dwarfs IBM’s average total cost of a data breach which stood at USD$4.35 million in 2022. It is even bigger than the estimated $25m and $35m fallout costs of the attack on Australian healthcare provider, Medibank. Further damage was done as Medibank’s value fell by AU$1.6 billion in just a single week after the breach.
Australia’s cyber future Another key trend that will shape the future of cybersecurity in Australia is the increasing use of cloud computing. Many businesses are moving their data and applications to the cloud, which can provide cost savings and greater flexibility. However, cloud computing also introduces new cybersecurity challenges, such as the need to secure data stored in multiple locations and the risk of third-party data breaches. As mentioned above, the shortage of skilled cybersecurity professionals is also likely to remain a challenge in the future. The Australian Cyber Security Centre’s 2020 Cyber Security Survey found that 88% of surveyed businesses had difficulty recruiting cybersecurity professionals. To address this shortage, the Government and industry need to work together to provide training and education opportunities for cybersecurity professionals. Looking further ahead, the Government recently launched the 2023-2030 Australian Cyber Security Strategy Discussion Paper, seeking the views and opinions of interested parties and experts (the option to contribute closes April 15 2023). The aim is to assemble an offensive cyber team to become the world’s “most cyber-secure country” by the end of the decade. That’s going to take a while. In the meantime, Australian firms, or global enterprises that have data there, are left with the threat of large, potentially ‘business ending’ fines. Interestingly, The ‘breach turnover period’ stands at 12 months or the duration of the contravention, whichever is longer. For longer-term systemic breaches by larger organizations, this framework could lead to maximum penalties significantly higher than the A$50 million figure. Indeed some commentators are asking if 2023 will see the first AU$1 billion data privacy fine. All this raises the question about the effectiveness of state sanctions on companies who fall foul of cyber regulations. But will, as the Australian authorities hope, bigger fines lead to companies upgrading their security stance and ultimately fewer breaches? We’ll have to wait and see. But with email the biggest attack vector, Australia-based organizations should give serious thought to adopting an Integrated Cloud Email Security solution, and quickly. 
Read Blog Post
Beyond the SEG / Microsoft + Tessian, Advanced Email Threats
Tessian in Action: Account Takeover & SharePoint File Share Attack
by Tessian Threat Engineering Group Wednesday, February 22nd, 2023
Recently, Tessian Defender detected and prevented an emergent threat across a large number of our legal and financial customers. Here’s how it happened… This external Account Take Over (ATO) campaign contained over 500 malicious emails that evaded Microsoft’s and customers’ secure email gateway (SEG) controls. Subsequently, it went on to reach 20 of our customers’ inboxes. An ATO often occurs when a user accidentally shares their credentials with a threat actor allowing them full access to their email account. Because a legitimate account was compromised, this ATO attack was sent from a trusted email address, with the correct domain, meaning it would have been almost impossible for an end user to identify it as malicious. What’s more, the email content was a legitimate Microsoft SharePoint file sharing email pointing to a OneNote file in SharePoint. The hosted file pointed to a malicious website used to harvest user credentials.  Here’s a screenshot of the SharePoint email (the name, file and entities have been anonymized).
Why did the SEGs not detect this threat? There are two main reasons why a traditional SEG didn’t stop this attack. Firstly, external ATOs are extremely difficult to detect because the phishing email is sent from a legitimate account, it’s just a bad actor operating the account. This means all email authentication methods such as Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM), and Domain-based Message Authentication Reporting and Conformance (DMARC), will pass. Secondly, the email pointed to a legitimate SharePoint URL which, at the time of delivery, was not present on URL Threat Feeds. SEG detection relies heavily on signature-based, threat intelligence feeds. But for new and emerging threats, when the URL has not been seen before, there is no signature to detect so the only option they have is to deliver the email.
How did Tessian Defender detect this threat? Tessian Defender’s behavioral intelligence models identified two clear anomalous signals to predict this ATO attack. Firstly, Unusual Sender Behavior. A large amount of emails (~500) were sent from the compromised account, to many disconnected users on the Tessian network, in a short period of time. Successfully compromising an account is a rare event for an attacker, therefore the attacker will likely send many emails from the compromised account to trusted contacts in the account’s address book, as quickly as possible, before being discovered and before the credentials are changed. Secondly, Unusual File Sharing Service Used. As mentioned above, Microsoft SharePoint was leveraged in this attack. There is nothing unusual or suspicious about SharePoint, however because Tessian Defender’s behavioral models have a deep understanding of every relationship in our customer’s accounts, they were able to identify that the sender of this email had never used the SharePoint service in previous interactions. Depending on the specific customer configuration, Tessian Defender either hard-quarantined this email or displayed the following warning message to end users:  
This email was confirmed to be malicious by end users and security analysts across our customer base – reinforcing and strengthening the Tessian Global Threat Network, and nullifying this emergent threat.  Account takeover attacks are becoming an increasingly common category of threat – driven by their ability to evade existing Microsoft and secure email gateway controls. Consequently, there is a strong likelihood of an end user being tricked into trusting the legitimacy of the email. Once inside a threat actor can deploy ransomware, instigate fraudulent fund attacks, and continue to move laterally through a customer by compromising higher target accounts. 
Read Blog Post
Attack Types, Insider Risks, Email DLP, Advanced Email Threats
Preventing ePHI Breaches over Email for Healthcare Organizations
by Matt Smith Friday, February 10th, 2023
Healthcare organizations handle some of our most sensitive and personal data, which makes them highly vulnerable to cyber attacks. Here’s how to prevent them. Electronic protected health information (ePHI) breaches over email occur when sensitive patient information is transmitted or stored through unsecured email communication. The cause of this type of breach can be unauthorized access, hacking, human error, and technological malfunction.  Healthcare organizations are complex with employees and contractor stakeholders across medical records teams, practitioners in clinic settings, non-technical employees, medical officers, and patients themselves accessing data. This diverse set of users and use cases makes managing ePHI and understanding when a breach has occurred that much more challenging. In the US, the Health Insurance Portability and Accountability Act’s Breach Notification Rule (45 CFR §§ 164.400-414) requires covered entities and their business associates to provide notification of a breach that involves unsecured protected health information. For breaches that affect over 500 individuals, organizations must notify the Department of Health & Human Services (HHS) and prominent media outlets within their state within 60 days following a breach. Additionally, many states including California, Michigan, Florida, and Arizona have similar or more stringent reporting requirements.
Impact of ePHI Breaches Breaches not only cause reputational damage, but the HHS’ Office for Civil Rights (OCR) imposes fines based on the severity of a breach and an organization’s compliance with recommended security controls. For example in 2022, Oklahoma State University Center for Health Sciences was fined $875,000 for a breach affecting 279k records. To help reduce these large fines and to drive the right security controls, the recent amendment to the HITECH Act in 2021 incentivizes HIPAA-regulated organizations to adopt “recognized security practices” to better protect patient data.  There are 18 HIPAA Identifiers considered ePHI. These identifier elements include: Name, Address, Dates related to an individual (e.g., DOB, discharge date), telephone number, email address, social security number, medical record numbers, health plan beneficiary numbers, account numbers, IP addresses or web URLs, biometrics, and photographs. 
A common breach scenario is when an employee or contractor sends an email with ePHI to the wrong recipient. This can occur when an incorrect email address is entered, autocorrect selects a different email, a recipient forwards an email to another person, or the recipient’s email account is compromised. Privacy and GRC leaders in healthcare struggle with user error and user accidents with ePHI as it is a top cause of data breaches.   Let’s look at the numbers. The HIPAA Journal Breach report has been documenting breaches for the last 23 years. To date, there have been 5,150 data breaches reported between October 21, 2009, and December 31, 2022. What’s more, 882 of these breachers are still under investigation
The HHS’ Office for Civil Rights reports show a sharp increase in business associate reported breaches. These are the business partners and counterparties to healthcare providers who access ePHI. Many larger healthcare organizations now require security audits and data protection reviews for their business counterparties to mitigate this risk. Why? Because In 2022, nearly 90% of healthcare breaches involved third party vendors. In one example, a large health plan provider recently mandated stricter email data loss controls with one of their business partners (and subsequent acquisition) to ensure the ePHI shared between the parties was closely monitored and accidental sharing was eliminated.
Preventing ePHI Data Loss Over Email There are few solutions that can effectively prevent cases of ePHI data loss via email without implementing complex and time-consuming policies and rulesets. Tessian is used today at many large healthcare organizations to protect ePHI data loss over email by:  Ensuring confidentiality that ePHI data being is being sent to the correct, authorized recipient via email (preventing misdirected emails)  Preventing impermissible disclosure of sensitive or unauthorized data from leaving the org (i.e. data exfiltration)  Enforcing proper classification and compliance of emails being sent out (data labeling, keyword matching, etc.) Tessian protects ePHI data over email in 3 main ways:   Historical analysis of email activity, behavioral context, and natural language processing to create a Behavioral Intelligence Model for each employee  Understanding the working relationships between individuals and their external contacts to detect anomalous activity  Classifying email content and warning users with in-the-moment training or automatic blocking of ePHI data Through historical email analysis of an organization’s email activity as well as constant email monitoring and threat intelligence, Tessian applies advanced machine learning techniques such as content analysis (URLs/Attachments), Behavioral Context, Natural Language Processing, Linguistic Styles (sense of urgency), Intent Analysis (payment request/fake invoice) to form a customer-specific Behavioral Intelligence Model that detects and filters unintentional and malicious data loss events on email. By forming an understanding of the expected working relationships between individuals and baselining normal end-user behavior on email,  Tessian can detect anomalous activity such as misdirected emails as well as identify end-users who have the riskiest behaviors. Often ePHI breaches result in data being accidentally shared with the wrong party which often results in a reportable event. Tessian’s ML Algorithm identifies the level of sensitivity of email content (e.g., containing social security numbers) while warning users with in-the-moment training or blocking exfiltration attempts where required.  Within the Tessian portal, administrators can automatically detect data leaving the organization that contains ePHI. Admins can choose to just monitor, warn, or automatically block emails that contain sensitive data. These controls are automatic and do not require building extensive policies using regex or other lists
With Tessian’s reporting capability a security team can provide a clear summary of potential breach events to share with the Data Protection or Compliance Officer for further investigation. Using the unique anomaly detection reporting, analysts can see these reports in seconds as opposed to the content search in Microsoft or other platforms that can take hours.
Within the Risk Hub, Tessian automatically identifies the personal email addresses associated with all employees in an organization. This is useful in determining the risk level of a potential breach. HIPAA allows an organization to conduct a risk assessment to “demonstrate a low probability that the protected health information has been compromised by the impermissible use or disclosure.” see this link for details. For example, if an employee emails ePHI to their personal email account for printing at home or to conduct work from a home device, an organization can (a) identify that this was a personal email address for an employee and (b) require the employee to delete this data from the personal device. This example is a risk mitigation practice used by a current Tessian healthcare customer.
Here’s how Tessian can automatically detect and monitor of data sent to personal email addresses
Want to find out more about how Tessian can help protect your organization? Find out more here
Read Blog Post
Integrated Cloud Email Security, Email DLP, Advanced Email Threats
Secure Email Gateways (SEGs) vs. Integrated Cloud Email Security (ICES) Solutions
by Tessian Thursday, February 9th, 2023
Recent market developments in email security signal there is a new player in town. And what has been considered a solved-for cybersecurity challenge is receiving renewed attention, both in the enterprise and in the analyst community.  The next generation of email security, referred to by Gartner as Integrated Cloud Email Security (ICES) solutions, bring a welcome and new approach to solving for increasingly sophisticated and elusive email security threats.
Advanced threats require a new approach to addressing email security risk Threat actors are using more sophisticated techniques, and attacks are achieving greater success. This is largely due to the commercialization of cybercrime, with Phishing-as-a-Service and Ransomware-as-a-Service offerings becoming more prevalent on the dark web.  The pace of digital transformation underway and key shifts in the way we work help explain it, too. In the wake of the pandemic, the accelerated adoption of public cloud has significantly expanded attack surface risk, with employees working from home, and often on personal devices.  Threat actors are exploiting these developments by targeting the most common threat vector for a breach, phishing via email.
Secure Email Gateways (SEGs) SEGs were, until recently, considered a staple in the cybersecurity stack. But SEGs that run on static, rule-based detection engines are finding it increasingly challenging to protect in today’s threatscape. This is  largely due to SEGs relying on adversaries exploiting common and well-known attack vectors.  SEG solutions sit in-line and filter all inbound emails. SEGs use a threat intelligence engine that is combined with manual policy orchestration, creating “allow” or “deny” lists. In the world of SEGs, security administrators have to configure MX records, develop specific emails security policies, block domains, and triage incidents – with many of these incidents false positives due to its “wide-net” email filtering approach.  Given the threat engine for SEGs also relies on known threats, it can enable threat actors to bypass SEG controls, for example, by registering new domains which are combined with advanced impersonation techniques. That’s why Tessian saw 2 million malicious, inbound emails evade SEGs in a 12-month period. And once an adversary has compromised an organization’s email (i.e. passed through the gateway) there is little stopping them. SEGs also offer very limited protection against insider threats or advanced methods for email based data exfiltration, for example renaming document file names to bypass manual orchestrated SEG DLP policy labels. 
The key attributes of SEGs include: Designed to protect against commonly seen threats i.e. mainstream phishing activity, malware and spam The redirection of mail via MX records pointing to the SEG to scan all incoming email  Using a sandbox for detecting, isolating, and detonating suspected malicious emails or attachments Clawback ability for internal email only No ability to detect lateral movement by a threat actor that has breached the gateway Supplemental scanning solutions are often required to detect advanced inbound threats Manual orchestration of basic DLP policies
Integrated Cloud Email Security (ICES) Solutions The main distinguishing characteristic of ICES solutions like Tessian compared to SEGs, is that ICES solutions were born in the cloud, for the cloud. But, they’re also able to provide protection for hybrid and on-premise environments.  Using machine learning and connecting via connectors or an API, the algorithm of an ICES solution develops a historical behavioral map of an organization’s email ecosystem. This historical behavioral map is leveraged along with Natural Language Processing (NLP) and Natural Language Understanding (NLU) capabilities, to dynamically, and in-real-time, scan and detect any anomalous email behavior on both the inbound and the outbound side.  ICES solutions also offer a high degree of email security automation, including triaging of security incidents, which significantly reduces the SOC burden and ultimately improves security effectiveness.
The key attributes of ICES solutions include: Designed to detect advanced social engineering attacks including phishing, impersonation attacks, business email compromise (BEC), and account takeover (ATO) Require no MX record changes and scan incoming emails downstream from the MX record, either pre-delivery via a connector, or post-delivery via an API Behavioral detection engine for advanced inbound and outbound threats, resulting in greater detection efficacy and lower false positives i.e. less business interruption and  more SOC optimization A banner can be added to an incoming email indicating the level of risk of the scanned email Lateral attack detection capability Malicious emails are hidden from users’ inboxes. With the pre-delivery option, only email that is determined to be safe is delivered. Post-delivery solutions will claw-back a suspected email determined to be malicious All of the email fields are analyzed and compared against a historical mapping of email correspondence. Fields scanned include the sender, recipient, subject line, body, URL and attachments Prompts the end-user with in-the-moment contextual warnings on suspected malicious emails to take safe action, in real-time Some have advanced DLP capability
The evolution of the threatscape combined with the mainstream adoption of public cloud offerings and associated productivity suites, helps contextualize the emergence of the ICES vendor category.  Many of the productivity suites such as Microsoft 365 and Google Workspace include SEG-like features as part of their standard offerings. And Gartner predicts that by 2023, 40% of enterprises will be leveraging an ICES solution like Tessian with a public cloud’s productivity suite for comprehensive email protection. 
Want to learn more? See how Tessian prevents ransomware attacks, and protects against DLP, watch a product overview video, download our platform architecture whitepaper, or book a demo.
Read Blog Post
Advanced Email Threats
15 Examples of Real Social Engineering Attacks
Tuesday, February 7th, 2023
Social engineering attacks are one of the main ways bad actors can scam companies. Here’s 15 of the biggest attacks, and how they happened.
1.  $100 Million Google and Facebook Spear Phishing Scam The biggest social engineering attack of all time (as far as we know) was perpetrated by Lithuanian national, Evaldas Rimasauskas, against two of the world’s biggest companies: Google and Facebook. Rimasauskas and his team set up a fake company, pretending to be a computer manufacturer that worked with Google and Facebook. Rimsauskas also set up bank accounts in the company’s name. The scammers then sent phishing emails to specific Google and Facebook employees, invoicing them for goods and services that the manufacturer had genuinely provided — but directing them to deposit money into their fraudulent accounts. Between 2013 and 2015, Rimasauskas and his associates cheated the two tech giants out of over $100 million. 2. Persuasive email phishing attack imitates US Department of Labor In January 2022, Bleeping Computer described a sophisticated phishing attack designed to steal Office 365 credentials in which the attackers imitated the US Department of Labor (DoL). The scam is a noteworthy example of how convincing phishing attempts are becoming. The attack used two methods to impersonate the DoL’s email address—spoofing the actual DoL email domain (reply@dol[.]gov) and buying up look-a-like domains, including “dol-gov[.]com” and “dol-gov[.]us”. Using these domains, the phishing emails sailed through the target organizations’ security gateways. The emails used official DoL branding and were professionally written and invited recipients to bid on a government project. The supposed bidding instructions were included in a three-page PDF with a “Bid Now” button embedded. On clicking the link, targets were redirected to a phishing site that looked identical to the actual DoL site, hosted at a URL such as bid-dolgov[.]us. The fake bidding site instructed users to enter their Office 365 credentials. The site even displayed an “error” message after the first input, ensuring the target would enter their credentials twice and thus reducing the possibility of mistyped credentials. It’s easy to see how even a relatively scrupulous employee could fall for an attack like this—but the problem would not have arisen if the target organization had better email security measures in place. 3. Russian hacking group targets Ukraine with spear phishing As world leaders debate the best response to the increasingly tense situation between Russia and Ukraine, Microsoft warned in February 2022 of a new spear phishing campaign by a Russian hacking group targeting Ukrainian government agencies and NGOs. The group—known as Gamaredon and tracked by Microsoft as ACTINIUM—has allegedly been targeting “organizations critical to emergency response and ensuring the security of Ukrainian territory” since 2021. The initial phase of Gamaredon’s attack relies on spear phishing emails containing malware. The emails also contain a tracking pixel that informs the cybercriminals whether it has been opened. The case is an important reminder of how cybersecurity plays an increasingly central role in international conflicts—and how all organizations should be taking steps to improve their security posture and protect against social engineering attacks.
4. Deepfake Attack on UK Energy Company In March 2019, the CEO of a UK energy provider received a phone call from someone who sounded exactly like his boss. The call was so convincing that the CEO ended up transferring $243,000 to a “Hungarian supplier” — a bank account that actually belonged to a scammer. This “cyber-assisted” attack might sound like something from a sci-fi movie, but, according to Nina Schick, Author of “Deep Fakes and the Infocalypse: What You Urgently Need to Know”, “This is not an emerging threat. This threat is here. Now.” To learn more about how hackers use AI to mimic speech patterns, watch Nina’s discussion about deepfakes with Elvis Chan, Supervisory Special Agent at the FBI.
5. $60 Million CEO Fraud Lands CEO In Court Chinese plane parts manufacturer FACC lost nearly $60 million in a so-called “CEO fraud scam” where scammers impersonated high-level executives and tricked employees into transferring funds. After the incident, FACC then spent more money trying to sue its CEO and finance chief, alleging that they had failed to implement adequate internal security controls. While the case failed, it’s an important reminder: cybersecurity is business-critical and everyone’s responsibility. In fact, Gartner predicts that by 2024, CEOs could be personally liable for breaches.
6. Microsoft 365 phishing scam steals user credentials In April 2021, security researchers discovered a Business Email Compromise (BEC) scam that tricks the recipient into installing malicious code on their device. Here’s how the attack works, and it’s actually pretty clever. The target receives a blank email with a subject line about a “price revision.” The email contains an attachment that looks like an Excel spreadsheet file (.xlsx). However, the “spreadsheet” is actually a .html file in disguise. Upon opening the (disguised) .html file, the target is directed to a website containing malicious code. The code triggers a pop-up notification, telling the user they’ve been logged out of Microsoft 365, and inviting them to re-enter their login credentials. You can guess what happens next—the fraudulent web form sends the user’s credentials off to the cybercriminals running the scam. This type of phishing—which relies on human error combined with weak defenses—has thrived during the pandemic. Phishing rates doubled in 2020, according to the latest FBI data. 7. Singapore bank phishing saga like ‘fighting a war’ Customers of the Oversea-Chinese Banking Corporation (OCBC) were hit by a string of phishing attacks and malicious transactions in 2021, leading to around $8.5 million of losses across approximately 470 customers. The bank’s CEO Helen Wong described her company’s battle against the phishing attacks and subsequent fraudulent transfers as like “fighting a war.” OCBC customers were duped into giving up their account details after receiving phishing emails in December 2021. The situation escalated quickly despite the bank shutting down fraudulent domains and alerting customers of the scam. Wong described how, once the phishing campaign had taken hold, the fraudsters had set up “mule” accounts to receive stolen funds. No matter how quickly the bank’s security team managed to shut down a mule account, the scammers would soon find another to take its place. The CEO described her dilemma after getting the phishing campaign under control: reimbursing customers felt like the right thing to do, but Wong feared it could incentivize further attacks. So far over 200 customers have been compensated. 8. Ransomware gang hijacks victim’s email account In April 2021, several employees of U.K. rail operator Merseyrail received an unusual email from their boss’s email account with the subject line “Lockbit Ransomware Attack and Data Theft.” Journalists from several newspapers and tech sites were also copied in. The email—sent by a fraudster impersonating Merseyrail’s director—revealed that the company had been hacked and had tried to downplay the incident. The email also included an image of a Merseyrail employee’s personal data. It’s not clear how Merseyrail’s email system got compromised (although security experts suspect a spear phishing attack)—but the “double extortion” involved makes this attack particularly brutal. The “Lockbit” gang not only exfiltrated Merseyrail’s personal data and demanded a ransom to release it—the scammers used their access to the company’s systems to launch an embarrassing publicity campaign on behalf of its director.
9. Phishing scam uses HTML tables to evade traditional email security Criminals are always looking for new ways to evade email security software. One BEC attack, discovered in April 2021, involves a particularly devious way of sneaking through traditional email security software like Secure Email Gateways (SEGs) and rule-based Data Loss Prevention (DLP). BEC attacks often rely on impersonating official emails from respected companies. This means embedding the company’s logos and branding into the email as image files. Some “rule-based” email security software automatically treats image files as suspicious. If a phishing email contains a .png file of the Microsoft Windows logo, the email is more likely to be detected—but without that distinctive branding, the email won’t look like it came from Microsoft. But once again, cyber criminals have found a way to exploit the rule-based security approach. To imitate Microsoft’s branding, this attack uses a table instead of an image file—simply a four-square grid, colored to look like the Windows logo. The average employee is unlikely to closely inspect the logo and will automatically trust the contents of the email. This isn’t the first time fraudsters have used tables to evade rule-based DLP software. For example, some email security filters are set up to detect certain words, like “bitcoin.” One way around this is to create a borderless table and split the word across the columns: “bi | tc | oin.” 10. Sacramento phishing attack exposes health information  Five employees at Sacramento County revealed their login credentials to cybercriminals after receiving phishing emails on June 22, 2021. The attack was discovered five months later, after an internal audit of workers’ email inboxes. The breach occurred after employees received phishing emails containing a link to a malicious website. The targets entered their usernames and passwords into a fake login page which were then harvested by cybercriminals. The attack resulted in a data breach exposing 2,096 records of health information and 816 records of “personal identification information.” The county notified the victims by email and offered free credit monitoring and identity theft services. It remains to be seen whether this proposed resolution by the county will be enough. Protection of health information is particularly tightly regulated in the US, under the Health Insurance Portability and Accountability Act (HIPAA), and data breaches involving health data have led to some hefty lawsuits in the past.
11. Google Drive collaboration scam In late 2020, a novel but simple social engineering scam emerged that exploited Google Drive’s notification system. The fraud begins with the creation of a document containing malicious links to a phishing site. The scammer then tags their target in a comment on the document, asking the person to collaborate. Once tagged, the target receives a legitimate email notification from Google containing the comment’s text and a link to the relevant document.  If the scam works, the victim will view the document, read the comments, and feel flattered at they’re being asked to collaborate. Then, the victim will click one of the malicious links, visit the phishing site, and enter their login credentials or other personal data. This scam is particularly clever because it exploits Google’s email notification system for added legitimacy. Such notifications come straight from Google and are unlikely to trigger a spam filter. But like all social engineering attacks, the Google Drive collaboration scam plays on the victim’s emotions: in this case, the pride and generosity we might feel when called upon for help. Want to see a screenshot of a similar attack? We breakdown a spear phishing attack in which the attacker impersonates Microsoft Teams. Check it out here. 12. Sharepoint phishing fraud targets home workers April 2021 saw yet another phishing attack emerge that appears specifically designed to target remote workers using cloud-based software. The attack begins when the target receives an email—written in the urgent tone favored by phishing scammers—requesting their signature on a document hosted in Microsoft Sharepoint. The email looks legitimate. It includes the Sharepoint logo and branding familiar to many office workers. But the link leads to a phishing site designed to siphon off users’ credentials. Phishing attacks increasingly aim to exploit remote collaboration software—Microsoft research suggests nearly half of IT professionals cited the need for new collaboration tools as a major security vulnerability during the shift to working from home.
13. $75 Million Belgian Bank Whaling Attack Perhaps the most successful social engineering attack of all time was conducted against Belgian bank, Crelan. While Crelan discovered its CEO had been “whaled” after conducting a routine internal audit, the perpetrators got away with $75 million and have never been brought to justice. Crelan fell victim to “whaling” — a type of spear-phishing where the scammers target high-level executives. Cybercriminals frequently try to harpoon these big targets because they have easy access to funds. 14. High-Profile Twitters Users’ Accounts Compromised After Vishing Scam In July 2020, Twitter lost control of 130 Twitter accounts, including those of some of the world’s most famous people — Barack Obama, Joe Biden, and Kanye West. The hackers downloaded some users’ Twitter data, accessed DMs, and made Tweets requesting donations to a Bitcoin wallet. Within minutes — before Twitter could remove the tweets — the perpetrator had earned around $110,000 in Bitcoin across more than 320 transactions. Twitter has described the incident as a “phone spear phishing” attack (also known as a “vishing” attack). The calls’ details remain unclear, but somehow Twitter employees were tricked into revealing account credentials that allowed access to the compromised accounts. Following the hack, the FBI launched an investigation into Twitter’s security procedures. The scandal saw Twitter’s share price plummet by 7% in pre-market trading the following day. 15. Texas Attorney-General Warns of Delivery Company Smishing Scam Nearly everyone gets the occasional text message that looks like it could be a potential scam. But in September 2020, one smishing (SMS phishing) attack became so widespread that the Texas Attorney-General put out a press release warning residents about it. Victims of this scam received a fraudulent text message purporting to be from a delivery company such as DHL, UPS, or FedEx. The SMS invited the target to click a link and “claim ownership” of an undelivered package. After following the link, the target was asked to provide personal information and credit card details. The Texas Attorney-General warned all Texans not to follow the link. He stated that delivery companies do not communicate with customers in this way, and urged anyone receiving the text message to report it to the Office of the Attorney General or the Federal Trade Commission. Top tip: Never to respond to any suspicious message, click links within SMS messages, or reveal personal or company information via SMS. Prevent social engineering attacks in your organization There’s one common thread through all of these attacks: they’re really, really hard to spot. That’s where Tessian comes in. Tessian is intelligent cloud email security that stops threats and builds smart security cultures in the modern enterprise. Powered by machine learning, Tessian analyzes and learns from an organization’s current and historical email data and protects employees against inbound email security threats, including whaling, CEO Fraud, BEC, spear phishing, and other targeted social engineering attacks. To learn more about how Tessian can protect your people and data against social engineering attacks on email, book a demo today. Or, if you’d rather just stay up-to-date with the latest social engineering attacks, subscribe to our weekly blog digest. You’ll get news, threat intel, and insights from security leaders for security leaders straight to your inbox.
Read Blog Post
Integrated Cloud Email Security, Advanced Email Threats
Tessian in Action: Stopping an Impersonation Attack
by Tessian Threat Engineering Group Friday, February 3rd, 2023
Here’s a real-life example of Tessian in action. On this occasion, Tessian has flagged a potential phishing email chasing an invoice payment from a supplier. The client is a 3000-user global law firm and receives thousands of emails a day. In this attack attempt the threat actor has spoofed a legitimate existing domain for the approach,  ******* But crucially, for the reply address, the attackers used *******, omitting the final S found in the original URL.  It’s a common technique for attackers to use a legitimate domain for the initial email to gain trust, and then use a lookalike as the reply to, so they can then divert all conversations to their own inbox. They hope it won’t look suspicious because the recipient will probably think that it’s the same sender’s address. The science behind the way humans read words would mean that this would be easily scanned over in a busy office. The warning displayed to the end user
Tessian alerted the end recipient that the email was suspicious and explained why in three simple points, after which they correctly marked it as malicious. It’s in-the-moment explaining and training like this that empowers employees to make the right security decisions themselves, without slowing down their workday.  And here’s how the Security Team saw the event in the Tessian portal. You can see that the user safely marked the email as malicious in under five minutes from when it arrived.  Tessian picked up on the fact that the reply to address is extremely similar to the sender address and that ******* is not very well known to the customer, based on their statistics. Other flags included keywords such as ‘invoice’ and ‘payment’.
It’s also worth noting the time the email was sent, around 2pm GMT. Our own State of Spear Phishing report shows that the most successful attacks happen just after lunch, or towards the end of the working day, when people are at their most distracted.  Let’s now look at the email itself, and some of the social engineering triggers the attacker has used. It’s worth noting there’s just the right amount of suspicious intent: too much urgency such as ‘please pay immediately’ can cause people to double check and action it there and then, especially if the request comes from a senior manager or the C-Suite. Too little urgency meanwhile, means it might not get done at all.  The email arrived on Thursday 19th of January, with a suggested payment deadline of the 31st – just the right amount of nudging to ensure it’s quietly added to someone’s ‘to do’ list the following week. 
Attacks that mimic your suppliers can be particularly tricky to defend against, as psychologically, your organization and people have probably dealt with them before. Even small firms can have hundreds of different suppliers – from office cleaning to raw materials to payroll. For large multinationals like Walmart, or Total that number can run to over 100,000. That’s a lot of emails back and forth.  Tessian stops attacks like this on a daily basis, delivering a modern email security posture and protecting your end-users and data. But the best thing is we do all that, while reducing your security team’s workload. This ultimately saves you money and reduces complexity, leaving you confident that your organization is protected.
Read Blog Post