Anatomy of a Phishing Email

This post was originally published in Nov 2019 and has been updated with new content.

Recognizing a phishing email isn’t as easy as it used to be. From clean, error-free text to sharp brand logos and images, the new attacks are highly successful at fooling both savvy users and advanced email filters. What are phishers doing differently? Everything—from the sender’s address to the footer.

To help you spot a scam, we’ll break down both what you see and what you don’t—the body text and the underlying code. The below includes real phishing email examples discovered by Vade.

Sender’s address

The hallmark of phishing is brand impersonation. Hackers use email spoofing to create fake email addresses that look like they were sent from legitimate ones. With email spoofing, the sender’s name is visible, but the email address is sometimes hidden.

In a PayPal phishing email, for example, the visible alias might be “PayPal Security,” but the hidden email address is “no-reply-support-team_._@ewrtdrf.com.” The hope is that the recipient will not expand the sender’s name to check the email address—many people don’t, especially on mobile devices.

A cousin domain is a more sophisticated form of spoofing in which the sender’s address looks identical to a brand email address but has been obfuscated. One way of creating a cousin domain is adding or subtracting a letter from the email address or adding an extension, such as .co, .global, and .ae.

Below is an example of a Wells Fargo scam discovered by Vade. It features a cousin domain with a long extension, spoofing the Wells Fargo customer service email address:

Wells Fargo phishing
Wells Fargo phishing email

Domain spoofing is an email address that is the same as a legitimate domain, such as bofa.com (Bank of America). Domain spoofing is on the decline, thankfully, due to Domain Keys Identified Email (DKIM) and the Sender Policy Framework (SPF). Each identifies unauthorized use of domain names and effectively blocks any email that features domain spoofing.

[Related] Take the Phishing IQ Test to assess your phishing awareness

Subject line and tone

The object of phishing is to steal account credentials or deliver malware. To do this, phishers need to get victims to log in to the targeted account. A well-crafted subject line is a critical first step in encouraging the desired action.

On the consumer side, the emails tend to impersonate banks, social media companies like Facebook and LinkedIn, and popular streaming services like Netflix. To get a users to open a phishing email, the subject line often raisees alarms or piques curiosity, such as “New sign-on to your account,” “Suspicious activity detected,” or “Invitation waiting.”

On the business side, users are targeted with fake emails from vendors they do business with, such as SaaS and cloud companies. On the corporate side, subject lines are crafted to alert users to issues that could interfere with daily business operations.

Many subject lines alert users that they’re locked out of an important software platform and need to change their password or that an important file is awaiting their review. Below are a few examples of popular subject lines:

  • Account suspended
  • New login detected
  • Suspicious activity detected
  • Please update your information
  • Security alert

SunTrust phishing
Sun Trust fake verification

All the above subject lines are designed to cause alarm. Hackers also use event-based subject lines to get attention. In these emails, hackers capitalize on a well-known current event to exploit fears and anxieties. We saw this in 2020 with a surge of emails impersonating government agencies during the global pandemic.

COVID-19-themed phishing
COVID-19-themed phishing

Microsoft is one of the bigger targets on the business side. Microsoft phishing emails range from run-of-the-mill password-reset requests to sophisticated attacks. Below is a recent SharePoint example. This sophisticated attack is a real alert sent directly from a compromised Microsoft 365 account, with the subject line “Shard (sic) File.”

SharePoint phishing
Fake SharePoint notification

The below example is a fake SharePoint notification generated from a compromised account and displaying a message notification. The phisher likely infiltrated Microsoft 365 through a previously undetected phishing campaign:

SharePoint phishing

Attachments

Most email filters scan for known phishing URLs only in the body of the email. To get around this, hackers often bury the URL in an attachment. The email itself alerts the user that they’ve received an invoice or have been sent an important document that needs review or approval. The phishing URL is in the body text of the document, typically a Word doc or PDF.

Attachments

Although sandboxing—a technology that quarantines and explores an email for before delivery—can scan attachments, most sandboxing technologies are looking for malware within the document, not phishing URLs.

Recently, we’re seeing attachments that are not attachments but phishing links that look like attachments. When a user clicks on the attachment to preview or download it, they’re automatically directed to a phishing page or malware/ransomware is automatically downloaded onto the computer.

.ZIP files with hidden URLs and viruses are emerging as an effective—and problematic—method of delivering dangerous payloads. Emotet gangs in particular are fond of .ZIP files. In late 2020, cybercriminal gangs sent mass waves of malspam with Emotet malware hidden in password-protected .ZIP files.

Links

Phishing email links

A phishing link is a URL that directs a user to a web page that impersonates a popular brand. URLs are hidden behind anchor text with calls to action such as “Sign in,” “View here,” “Click here,” “Preview document,” and “Update account settings.” Hovering over anchor text will reveal a phishing URL, and many savvy email users know this and do check the links. To avoid detection, phishers obfuscate the URL using these techniques:

  • URL shorteners: URL shorteners obfuscate URLs by creating aliases—abbreviated versions that look nothing like the original. Using popular and free tools like TinyURL and Bit.ly, phishers shorten phishing URLs to fool both users looking for suspicious URLs and email filters looking for known signatures.
  • URL redirects: With a technique known as “time-bombing,” phishers use clean, legitimate URLs in the emails and then create redirects to phishing pages after the emails have bypassed filters and been successfully delivered.
  • Text-based image obfuscation: Popular in sextortion emails, image-as-text obfuscation is an image-only email that functions as a link. To a user, the body of the email looks like text, but it’s a clickable image hosted on a website (example below).

Phishing links

Legitimate links

Filters scanning for malicious links can—and do—overlook them if the email also includes clean links to legitimate webpages. Including legitimate URLs is a practice that’s becoming more common and one that features prominently in the latest threats detected by Vade.

A phishing email that includes legitimate links fools users as much as filters. The more links the email includes, the less likely the user is to check each and every link. Additionally, when an email includes links to helpful resources, such as a support email address, the email appears even more legitimate in the eyes of a user.

Legitimate links

Brand images, logos, and QR codes

Brand images are easily accessible from Google Images, and phishers insert them into emails to convince users that the email originates from a legitimate brand. High-quality scam emails are nearly indistinguishable from the real thing, largely because of the look of the email—a direct result of the branding. But, there’s more going on than what is visible to the naked eye.

A known phishing email has a signature, including the underlying code, as well as the URL. Instead of creating a new email for every campaign, phishers obfuscate the signature, typically by randomizing code, but also by modifying images, including logos and other branding.

With only a slight change to the image, whether a change of tone, color, or size, the signature changes. To users, the email looks exactly the same, but underneath, it has completely changed— enough to fool email filters that analyze code rather than the rendering of the image.

QR codes are a common method of evading URL analysis in sextortion emails. As with the example above, simply inserting a new QR code into a known sextortion email is enough to fool a filter looking for a signature or a known phishing URL. Similarly, text-based images, which are essentially screenshots of emails, rather than HTML text, are among the class of images used to obfuscate signatures. 

Protecting yourself from phishing 

Training is critical to protection, but anti-phishing technology is non-negotiable. Below are just a few steps you can take to avoid getting phished:

  • Hover over links:  Always hover over the URL in an email to ensure it leads to a safe landing page. Obfuscation techniques can mask the real URL, so if you’re unsure about a link, do not click on it.
  • Don’t log in to critical apps from email: Any notification sent via email will also exist inside the application. If you’re suspicious about an email alert, log in to the application in your browser to ensure the request/demand is legitimate.
  • Invest in phishing email awareness training: Users should be trained on a regular basis to spot the latest attacks and techniques. Optimally, users should be retrained if and when they click on dangerous emails to ensure the training is fresh on the mind.

 

Discover the most impersonated brands in phishing attacks and the phishing trends that defined 2020.

 

Learn more