Defending Against Persistent Phishing: A Real-World Case Study

By Eynan Lichterman
image June 02, 2024 image 2 MIN READ

One of the scariest acronyms in a CISO’s knowledge base is APT – Advanced Persistent Threat. This term refers to someone determined to harm you and can do so in sophisticated ways. A colleague once taught me that the real threat isn’t just the advanced tools of the adversary, but their persistence. This means the adversary will attempt to hack you over time, using various methods, collecting information, and exploiting multiple technical and human vulnerabilities. It’s truly frightening.

One of our customers has suffered a persistent phishing attack in the last few months. An unknown attacker consistently targets the organization and its employees with semi-targeted phishing attacks. You might think this is just another day at the office, but this situation is unique. The attacker sends emails to a fixed subset of employees, rotating through this group over time. Every few weeks, some employees receive similar phishing emails. The attacker doesn’t give up, and it’s clear they are relentless.

The phishing emails themselves could be more sophisticated. The attacker uses the company name to semi-target the employees, often posing as the HR department or, occasionally, the IT team. Each email includes the employee’s name and typically contains a link as the payload. The emails usually create a medium level of urgency, but we have yet to notice other social engineering techniques like temptation or threats.

Several telltale signs indicate these emails are phishing attempts:

I assume you get the picture. Of course, we tried to block the sender addresses as a first step, but the attacker changed them with each batch of emails. The domains used were legitimate and did not have a “phishing reputation.” Minor changes were made to the email text each time.

We reported the addresses and added the Indicators of Compromise (IOCs) to the customer’s protection mechanisms, but the emails kept coming through. What’s my takeaway? While we rely on technology for defense, every tool has its limitations. The most adaptable defense mechanism is human awareness. Employees who can identify and report phishing attempts are our best line of defense.

Here’s what we did to enhance this awareness:

We would be happy to receive new ideas, reach out to build your employee readiness against persistent phishing. Contact us today.