Email threats are among the most common types of attacks encountered by Security Operations Center (SOC) analysts, and they often occur multiple times during a working shift. Moreover, malicious emails are often the first step in an attacker’s attempt to gain access to a target environment. Given the increase in these types of threats, SOC analysts and cyber investigators must understand attackers’ techniques to initiate attacks via email and how to investigate and respond to email threats.
The objective of this chapter is to learn why attackers prefer phishing emails to gain initial access, the most common email threats, the most common techniques by attackers to evade detection and trick the victim, how to analyze email secure gateway logs, and how to investigate suspicious emails. In this chapter, we will cover the following main topics:
- Top infection vectors
- Why attackers prefer phishing emails to gain initial access
- Email threat types
- Attackers’ techniques to evade email security detection
- Social engineering techniques to trick the victim
- The anatomy of secure email gateway logs
- Investigating suspicious emails
Let’s get started!
Top infection vectors
In the cyberattack chain, once an attacker has conducted reconnaissance against the target victim’s environment and infrastructure, and prepared the necessary weapons and equipment, the next step is
to determine their preferred method and technique to gain initial access to the victim’s environment. Attackers have several techniques at their disposal to gain initial access, including sending phishing emails, exploiting public-facing applications, luring users to visit a compromised website through drive-by compromise, and stealing valid remote credentials such as a VPN or RDP. Understanding the various techniques attackers use to gain initial access is crucial for security professionals to identify and prevent attacks before they can cause damage.
As per the IBM Security X-Force report, 41% of the attackers prefer phishing techniques to gain initial access to the victim’s environment, either by sending a weaponized document or a malicious link to the target victims (see Figure 1.1).