I’m Expecting this email: Phishing become sophisticated

Carmine J. Corridore

Carmine J. Corridore

Carmine Corridore is a seasoned professional in the I.T. industry with over 30 years of experience. He has held various positions from field tech, team lead, service manager, project manager, and Director of I.T. Currently, he serves as the Client Facing Chief Strategy Officer and President of Underdog Cyber Defense. Carmine is a Rotarian and serves on the local chamber board and several committees. Carmine believes in giving back to the community, and he accomplishes that through donations and sourcing local talent and goods. Carmine is Credentialed and Certified in Cybersecurity.

Book a 15 Minute Strategy Session

I’m expecting this email” was the message we received for an email restore request.

Let me explain to give you a better context. Cybersecurity is about layers; no single solution will stop a cyber attack. A recent article says that phishing emails initiate 90% of all cyber-attacks. An advanced email protection system is one of the layers we have in place. Using AI and machine learning algorithms, it checks every message coming in. If it believes it to be malicious, the workflow quarantines it and sends the end user a message similar to this one.

Request to Restore

If the user believes the message to be legitimate, they will ask for it to be released. Our team will then receive the request. From there, we will review the message and the analytic data. Often, we will sandbox it and open the email to see what will happen if we go through the process. Below is the Anatomy of a quarantined message and the steps we take to confirm its legitimacy.

Reason for Detection

The first step is discovering why the system marked the message as malicious. In this case, there were several “red flags.” These will aid us in our investigation. Some key characteristics will tell us whether this is a pause for further investigation or a false positive.

  • Non-Acii characters: Ascii characters are universal for electronic communication. Using similar non-ASCII characters helps disguise domain names as legit domains you would recognize. To the human eye, it’s almost indistinguishable.
  • Credential Harvesting is the method a cybercriminal will use to redirect you to a website that looks familiar to you, only to get you to type in your credentials. Then, use those credentials to further a cyber attack.
  • Sender Reputation: Is this the first time this person has communicated with anyone in your organization

How far did your email travel?

It is pretty fascinating to look at this map when analyzing an email. In a digitially connected world it is possible that your emails can come from anywhere. The longer we do this, the better we get at spotting patterns and knowing what is normal.

For instance, 99.99% of our clients’ emails originate from the top left quadrant of this map. This is where Redmond, Washington, is home to Microsoft Data Centers. They generally will end up where the end-user receives the message.

However, in our example, the message originated from England. While that by itself doesn’t disqualify the message from being legit, it allows us to ask further questions like, “Where does your lawyer live?”

Sometimes, on this map, we will see an envelope in red. That indicates the sender was using a VPN, which means there is a better-than-average chance it is a malicious email.

Now, it is time to play in the sandbox.

Usually, our above analysis allows us to conclude whether the email is legit or not, but in this particular case, we still were unsure, so we dived a bit deeper and sandboxed the message.

Sandbox is a term for a safe place to explore without the risk of damage. In other words, we can open this message in a sandbox, and it is protected from executing any malware that might be in it.

In this instance, the analyst clicked on the links supplied in the email to follow its path to see what the result would look like

Another flag we noticed is that although the message seems to come from a legitimate source, the link that is used to imitate the encryption company is for a real estate site.
f you are expecting an email from this lawyer, we suggest that you reach out to them via phone.

We are not afraid to say No!

From our time in the sandbox, we have learned that this message is legitimately a malicious email. We must let the end user know we are denying the request to restore.

I am a firm believer in giving people the “WHY”. It would be easy for my team to reply and say we are not restoring this email. But that may leave a taste of resentment and anger like “How are they not to allow me to have that message? It’s my lawyer, and they expect my response. It belongs to me.”

So, instead, my team is instructed to respond with an explanation and sources for our findings. It’s hard to tell the CEO of your largest client ‘NO,’ but it’s easier to follow up with why it’s ‘NO.

At the end of the day, Our job is sometimes to save people from themselves.

Want to know more about our Process click here to book an appointment

author avatar
Carmine Corridore

Monroe County, Pennsylvania (PA)

Analomink – Appenzell – Arlington Heights – Arrowhead Lake – Barton Glen – Bartonsville – Blakeslee – Blakeslee Estates – Blue Mountain Pines – Bossardsville – Brainerd Center – Briar Crest Woods – Brodheadsville – Buck Hill Falls – Camelot Forest – Canadensis – Castle Garden – Castle Rock Acres – Chestnuthill Township – Coolbaugh – Coolbaugh Township – Coveville – Craigs Meadow – Crescent Lake – Cresco – Delaware Water Gap – Dotters Corners – East Stroudsburg – East Swiftwater – Easton Anglers – Echo Lake – Effort – El-Do Lake – Eldred Township – Emerald Lakes – Fernridge – Fiddletown – Forest Glen – Foxtown Hill – Frutchey – Gilbert – Gravel Place – Hamilton Square – Hamilton Township – Henryville – Indian Mountain Lake – Jackson – Jackson Township – Jonas – Kahkhout Mountain – Kellersville – Kemmererville – Kingswood Estates – Kresgeville – Kunkletown – Lake Naomi Estates – Little Summit – Locust Lakes Village – Long Pond – Lower Tannersville – Marshalls Creek – McIlhaney – McMichael – Mechanicsville – Meisertown – Merwinsburg – Middle Smithfield Township – Minisink Hills – Monroe Lake – Monroe Township – Mount Pocono – Mount Zion – Mountain Top Estates – Mountainhome – Mushroom Farms – Neola – North Water Gap – Oak Grove – Paradise Crossing – Paradise Township – Paradise Valley – Parkside – Penn Estates – Pleasant Valley Estates – Pleasant View Lake – Pocono Country Place – Pocono Farms East – Pocono Heights – Pocono Lake – Pocono Laurel Lake – Pocono Manor – Pocono Pines – Pocono Playhouse – Pocono Summit – Pocono Summit Estates – Pocono Township – Polk Township – Poplar Bridge – Pocono Township – Price Township – Preserve – Red Ledge Manor Estates – Reeders – Resica Falls – Robin Hood Lakes – Ross Common – Ross Township – Rossland – Sandhill – Saylorsburg – Sciota – Scotrun – Shawnee on Delaware – Shoemakers – Sierra View – Ski Haven Lake Estates – Skytop – Smith Gap – Smithfield Township – Snow Hill Falls – Snydersville – Spruce Hill – Stillwater Lake Estates – Stillwater Lakes – Stormville – Stroud Township – Stroudsburg – Sun Valley – Swiftwater – Tannersville – Tobyhanna – Tobyhanna Township – Tunkhannock Township – Turn Villa – Wagners – Wagners Forest Park – Warnertown – Weir Lake – Wigwam Lake Estates – Wilderness Acres – Winona Lakes – Wiscasset – Wooddale.

Alburtis – Allen Junction – Alton Park – Allentown – Ancient Oaks – Arlington Knolls – Balliettsville – Best Station – Bethlehem – Bittners Corner – Breinigsville – Bungalow Park – Catasauqua – Cedarbrook County Home – Cementon – Center Valley – Centreville – Chapman – Chestnut Hill – Claussville – Coffeetown – Colesville – Coplay – Corning – Crackersport – Custer – DeSales University – Dewey Heights – Diebertsville – Dillingerville – Dorneyville – East Allentown – East Fogelsville – East Texas – Egypt – Emerald – Emmaus – Emmaus Junction – Evergreen Park – Farmington – Fogelsville – Fountain Hill – Friedens – Friedensville – Fullerton – Gauff Hill – Germansville – Greenawalds – Griesemersville – Guth – Guthsville – Haafsville – Haines – Hanover Acres – Hawktown – Helfrichsville – Hensingersville – Hillside – Hilltown – Hokendauqua – Home Park – Hosensack – Hynemansville – Ironton – Jacksonville – Jordan Valley – Juniper Circle – Kaywin – Kernsville – Krassdale – Krocksville – Kuhnsville – Lanark – Laurys Station – Leather Corner Post – Lehigh Furnace – Lehigh Gap – Limeport – Litzenberg – Lochland – Lockridge – Locust Valley – Lynnport – Lynnville – Lyon Valley – Macungie – Mechanicsville – Metamora Station – Meyersville – Mickleys – Mickleys Gardens – Midway Manor – Milford Park – Minesite – Mosserville – Mountainville – Neffs – New Smithville – New Tripoli – Newhard – Newside – Newtown – North Coplay – North Fogelsville – Notre Dame Hills – Old Zionsville – Orefield – Ormrod – Overlook Springs – Park Way Manor – Parkside Courts – Peters Store – Pleasant Corners – Powder Valley – Raberts Corner – Raubs Mills – Rextown – Rising Sun – Ritterville – River View – Rockdale – Rosemont Terrace – Ruchsville – Ruppsville – Saegersville – Saucon Valley – Saucon Valley Terrace – Scheidy – Scherersville – Schnecksville – Schneidersville – Seiberlingville – Seiple – Seipstown – Shankweilers – Shimerville – Sigmund – Slateville – Slatedale – Slatington – Spring Creek – Steinsville – Sterlingworth – Stetlersville – Stiles – Stines Corner – Summit Lawn – Switzer – Trexlertown – Trout Creek – Unionville – Vera Cruz – Vera Cruz Station – Walbert – Waldheim Park – Wanamakers – Weidasville – Weilersville – Weisenberg – Wellington – Welshtown – Wennersville – Werleys Corner – Wescosville – West Catasauqua – Westwood Heights – Wilbur – Williamstown – Woodlawn – Zionsville

more insights

Book a 15-Minute Strategy Session!

Are you ready to take the next step toward your business’s cyber security? Contact us today with any questions you might have or to request a no-hassle strategy session — we’re ready to fight for you!

New Look. New Name. New Focus.

Underdog Cyber Defense, formerly know as Underdog Computer and Network Solutions LLC., has rebranded to communicate that we are now focusing our exceptional IT and network capabilities on the vast challenges associated with Cyber Security.