Recognizing a phishing email isn’t as easy as it used to be. From clean, error-free text to sharp brand logos and images, the new phishing attacks are highly successful at fooling both savvy users and advanced email filters. What are phishers doing differently? Everything—from the sender’s address to the footer.

Phishing email characteristics

To help you spot a phishing email, we’ll break down both what you see and what you don’t—the body text and the underlying code. While some are general examples, the majority are real phishing emails discovered by Vade Secure.

Sender’s address

What distinguishes phishing from spear phishing is brand impersonation. A spear phishing email appears to come from a person, while a phishing email appears to come from brands. Microsoft, PayPal, and Netflix are just a few of the most impersonated brands in phishing attacks.

Phishers use email spoofing to create fake email addresses that look like they were sent from legitimate ones. With email address spoofing, the sender’s name is visible, but the email address is sometimes hidden. In a PayPal phishing email, for example, the visible alias might be “PayPal Security,” but the hidden email address is “no-reply-support-team_._@ewrtdrf.com.” The hope is that the recipient will not expand the sender’s name to check the email address—many people don’t, especially on mobile devices.

A cousin domain is a more sophisticated form of email spoofing in which the sender’s address looks identical to a brand email address but has been obfuscated. One way of creating a close cousin is adding or subtracting a letter from the email address or adding an extension, such as .co, .global, and .ae.

Below is an example of a Wells Fargo phishing email discovered by Vade Secure. It features a cousin domain with a long extension, spoofing the Wells Fargo customer service email address:

Domain spoofing is an email address that is the same as a legitimate domain, such as bofa.com (Bank of America). Domain spoofing is on the decline, thankfully, due to Domain Keys Identified Email (DKIM) and the Sender Policy Framework (SPF). Each identifies unauthorized use of domain names and effectively blocks any email that features domain spoofing.

[Related] Can you spot a phishing email? Take the Phishing IQ Test to find out.

Subject line and tone

The object of phishing is to steal account credentials or deliver malware. To do this, phishers need to get victims to log in to the targeted account. A well-crafted subject line is a critical first step in encouraging the desired action.

On the consumer side, phishing emails tend to impersonate banks, social media companies like Facebook and LinkedIn, and popular streaming services like Netflix. To get users to open the emails, subject lines often raise alarms or pique curiosity, such as “New sign-on to your account,” “Suspicious activity detected,” or “Invitation waiting.”

On the business side, users are targeted with phishing emails from vendors they do business with, such as SaaS and cloud companies. On the corporate side, phishing subject lines are crafted to alert users to issues that could interfere with daily business operations.

Many subject lines alert users that they’re locked out of an important software platform and need to change their password, that an important file is awaiting their review, that they need to sign in to a platform to update payment information, or that their files/messages will be deleted if they don’t respond. Below are a few examples of popular subject lines:

  • Account suspended
  • New login detected
  • Suspicious activity detected
  • Please update your information
  • Security alert

All the above subject lines are designed to cause alarm: if you’re locked out of critical accounts you can’t do your job; if you don’t review important files you will hold up operations; if you don’t update payment information you could cause important business services to go offline.

Microsoft is one of the bigger targets on the business side. In 2019, Vade Secure detected 55,766 Microsoft phishing URLs. This number represents unique URLs detected, not the total number of emails sent. Phishers often use the same phishing URL more than once—if not dozens of times.

Microsoft phishing emails range from run-of-the-mill password-reset requests to sophisticated Office 365 phishing emails. Below is an example of a recent SharePoint phishing email. This sophisticated attack is a real alert sent directly from a compromised Office 365 account, with the subject line “Shard (sic) File.”

The below example is a fake SharePoint notification generated from a compromised Office 365 account and displaying a message notification. The phisher likely infiltrated Office 365 through a previously undetected phishing campaign:

[Report] Phishers’ Favorites Q3 2019 Report: PayPal #1, but Microsoft phishing dominates

Attachments

Most email filters scan for known phishing URLs only in the body of the email. To get around this, phishers often bury the URL in an attachment. The email itself alerts the user that they’ve received an invoice or have been sent an important document that needs review or approval. The phishing URL is in the body text of the document, typically a Word doc or PDF.

Although sandboxing—a technology that quarantines and explores an email before delivery—can scan attachments, most sandboxing technologies are looking for malware within the document, not phishing URLs.

Recently, we’re seeing attachments that are not attachments but phishing links that look like attachments. When a user clicks on the attachment to preview or download it, they’re automatically directed to a phishing page or malware/ransomware is automatically downloaded onto the computer.

Often, attachments that contain phishing URLs are sent via legitimate file-sharing notifications from OneDrive or SharePoint and originating from a compromised Office 365 account. In the example below of Microsoft phishing, the user received a legitimate Microsoft notification that included a clean link to an Excel document. However, the document functioned as a form capable of stealing account credentials.

[White Paper] Email Security for Office 365: It’s broken. Here’s how to fix it.

Links

Phishing links

A phishing link is a URL that directs a user to a phishing page that impersonates a popular brand. Phishing links are hidden behind anchor text with calls to action such as “Sign in,” “View here,” “Click here,” “Preview document,” and “Update account settings.” Hovering over anchor text will reveal a phishing URL, and many savvy email users know this and do check the links. To avoid detection, phishers obfuscate the URL using these techniques:

  • URL shorteners: URL shorteners obfuscate URLs by creating aliases—abbreviated versions that look nothing like the original. Using popular and free tools like TinyURL and Bit.ly, phishers shorten phishing URLs to fool both users looking for suspicious URLs and email filters looking for known phishing signatures.
  • URL redirects: With a phishing technique known as “time-bombing,” phishers use clean, legitimate URLs in phishing emails and then create redirects to phishing pages after the emails have bypassed filters and been successfully delivered.
  • Text-based image obfuscation: Popular in sextortion emails, image-as-text obfuscation is an image-only email that functions as a link. To a user, the body of the email looks like text, but it’s a clickable image hosted on a website (example below).

Legitimate links

Filters scanning for malicious links can—and do—overlook them if the email also includes clean links to legitimate webpages. Including legitimate URLs is a practice that’s becoming more common and one that features prominently in the latest phishing emails detected by Vade Secure.

A phishing email that includes legitimate links fools users as much as filters. The more links the email includes, the less likely the user is to check each and every link. Additionally, when an email includes links to helpful resources, such as a support email address, the email appears even more legitimate in the eyes of a user.

Brand images, logos, and QR codes

Brand images are easily accessible from Google Images, and phishers insert them into phishing emails to convince users that the email originates from a legitimate brand. High-quality phishing emails are nearly indistinguishable from the real thing, largely because of the look of the email—a direct result of the branding. But, there’s more going on than what is visible to the naked eye.

A known phishing email has a signature, including the underlying code, as well as the phishing URL. Instead of creating a new email for every phishing campaign, phishers obfuscate the signature, typically by randomizing code, but also by modifying images, including logos and other branding.

With only a slight change to the image, whether a change of tone, color, or size, the phishing signature changes. To users, the email looks exactly the same, but underneath, it has completely changed— enough to fool email filters that analyze code rather than the rendering of the image.

QR codes are a common method of evading URL analysis in sextortion emails. As with the example above, simply inserting a new QR code into a known sextortion email is enough to fool a filter looking for a signature or a known phishing URL. Similarly, text-based images, which are essentially screenshots of emails, rather than HTML text, are among the class of images used to obfuscate phishing signatures

[Related] Understanding the Difference Between True AI and Marketing B.S. in Cybersecurity

Protecting yourself from phishing

Training is critical to phishing protection, but anti-phishing technology is non-negotiable. Email providers like Gmail have built-in anti-phishing technology that does a fine job of blocking phishing emails for consumers. However,  businesses using platforms like Office 365 need more than the built-in security provided by Microsoft, which is known to be weak on phishing. Below are just a few steps you can take to avoid getting phished:

  • Hover over links: Always hover over the URL in an email to ensure it leads to a safe landing page. Obfuscation techniques can mask the real URL, so if you’re unsure about a link, do not click on it.
  • Don’t log in to critical apps from email: Any notification sent via email will also exist inside the application. If you’re suspicious about an email alert, log in to the application in your browser to ensure the request/demand is legitimate.
  • Invest in user training: Users should be trained on a regular basis to spot the latest phishing attacks and techniques. Optimally, users should be retrained if and when they click on a phishing email to ensure the training is fresh on the mind.