From Trust to Trickery: Brand Impersonation over the Email Attack Vector
While much of the focus of recent cybersecurity efforts has been dedicated towards perimeter devices, social engineering should not be neglected. One of the most pernicious forms of social engineering in attacking both individuals and enterprises is brand impersonation, and threat actors have innovated many new ways to do it. By far, the most popular brand to impersonate is Microsoft, which makes sense given the ubiquity of Microsoft-owned platforms in most enterprises. Often, threat actors will send messages pretending to be email administrators asking for account information. In such cases, they have to recreate the format of a Microsoft email. Sometimes this is done through HTML manipulation, but this is a more difficult method. In many cases the easiest method for a threat actor to use is simply to prepare the email as an image file or unscannable PDF, and send it that way. The advantage of this method is that while a human can read it, automatic email scanners meant to detect phishing cannot.
Aside from Microsoft, other popularly impersonated brands include DocuSign, Amazon, and Paypal, likely due to their utility in phishing schemes. Although advances have been made to help detect and prevent social engineering messages from being sent, as always the weakest element in a cyber defense scheme remains the human user. In order to mitigate the risk of social engineering attacks, the most important element remains user education, especially in the case of emails. People have to learn not to automatically trust branded emails, but challenge them through alternate channels whenever possible.