Nearly one in two phishing attacks are polymorphic, according to research by IRONSCALES. The self-proclaimed world's first automated phishing prevention, detection and response platform identified 11,733 email phishing attacks that underwent at least one permutation over 12 months, with 52,825 permutations impacting 209,807 inboxes across the world.
Polymorphism occurs when an attacker implements slight but significant and often random changes to an email, such as its content, copy, subject line, sender name or template, in conjunction with or after an initial attack has deployed. This approach means that attackers can quickly develop phishing attacks that trick signature-based email security tools that were not built to recognize such modifications to threats, ultimately allowing different versions of the same attack to land undetected in employee inboxes.
This brings extra complexities to security teams who try to defend against polymorphic phishing attacks. According to IRONSCALES, thee attacks remain one of the "most time-consuming and burdensome tasks," especially as phishing kits can be inexpensive on the dark web. Currently, decentralized and distributed intelligence, coupled with non-signature-based email security tools that use artificial intelligence and machine learning to cluster similar attacks together, has proven most successful at mitigating polymorphic email phishing threats.
“Polymorphic email phishing threats represent an incredibly difficult challenge for SOC and IT security teams to overcome,” said Eyal Benishti, founder and CEO, IRONSCALES. “Just as security personnel think that they may have a phishing threat under control, attackers can augment the artifacts to give the message an entirely new signature, thereby enabling what is for all intents and purposes the same malicious message to bypass the same human and technical controls that might have stopped a previous version of the attack.”
These findings come weeks after the company found that secure email gateways (SEGs) failed to stop 99.5% of all non-trivial email spoofing attacks.
A two-year analysis of more than 100,000 verified email spoofing attacks found that the most common spoofing techniques included sender name impersonations and domain look-alike attacks, bypassing SEG technology on a regular basis.
The most common email spoofing attack techniques to bypass SEGs include:
- Exact sender name impersonations (73.5%): When an email is sent masquerading as coming from a trusted source, such as a colleague. Example: SteveJobs@techcompanyxyz.com
- Similar sender name impersonations (24%): When an email is sent masquerading as coming from a trusted source, such as a colleague, with minor obfuscations. Example: SteveJabs@techcompanyxyz.com
- Lookalike/cousin domain spoofing (2%): When an email is sent from a similar domain, in which attackers register the domain to set the right authentication records in the DNS. Example: SteveJobs@aapple.com
- Exact domain spoofs (0.5%). When an email is sent from a fraudulent domain that matches exactly to the spoofed brand’s domain. Example: SteveJobs@apple.com