Your Amazon.co.uk order (#-205-9699275-2499574) has been dispatched
Amazon.co.uk
joe.bloggs@egress.com
Mon 1/17/2022 12:41 PM
Lorem ipsum dolor sit amet, consectetur adipiscing elit. Quisque sagittis, arcu a ullamcorper fermentum, ligula justo cursus diam, ac venenatis mi mauris et diam.
Welcome to the Egress Defend User Experience!
In this interactive tour, experience Egress Defend within the inbox to see how we analyze email content, sender-recipient relationships, and other aspects to identify email threat and reduce human activated risk. Click the tool tips and highlighted elements throughout to get more detail.
Next
Amazon UK
12:41 PM
Hello, we thought you'd like to know that we've
Alice Doe
Hi Joe, It's Alice, I'm stuck in the car without my work
11:38 AM
DHL
Your shipment failed delivery Hello customer, Your DHL
10:17 AM
9:52 AM
Hacker@yourlifeisruined.co.uk
Dear Joe I am a hacker for fire, and I would like you to be made
8:41 AM
RE: URGENT: Invoice for proc...
Dan, I'm stuck in a meeting right now. There's a pending
8:20 AM
Remittance Details
Hello Joe, Please see the attachment remittance for
7: 32 AM
New Message In Teams
Hi joe.bloggs@egressdefend.com
Click the emails to see how Egress Defend compares suspicious email components with normal email behaviors to detect anomalies that are indicative of an attack.
The email address appears to be legitimate, but attackers can change the sender display name. The true sender address is visible in the 'reply-to' field. In this case, the reply-to is .
Emails that contain financial information are treated with caution, even for existing relationships. Since there also appears to be impersonation, this email is high risk.
Welcome to the Egress Defend interactive demo!
In this interactive demo, explore how Egress Defend works within the Egress Security Center to help reduce the risk of human error, data exfiltration and how Egress analyze email content Click the tool tips and highlighted elements throughout to get more detail.
Click the emails in the inbox to see how Egress Defend detects attacks early in the kill chain by learning normal email behaviors to detect anomalies that are indicative of an attack.
This URL could be malicious or a legitimate link redirected to a malicious site on-click. Link analysis is performed at both time of receipt and time of click and protects from delayed, post-delivery weaponization.
Click here to go back to email
Once a user clicks on the contextual, color-coded warning banners at the point of risk, Egress provides real-time teachable moments to reinforce awareness training
fail
First time sender
*****@outlook.com
Full Security - this indicates that all the authentication checks have passed and the email was sent from the email account that claimed to have sent it. Basic Security - this verifies both that the sender is allowed to send on behalf of the domain and that the email has not been modified in transit. No Security - this means that the sender has not set up any authentication on their domain and as a result we are unable to verify which account actually sent the email.
To determine the level of contact with each email sender we track the number of conversations between you both. First time sender - this is the first time you have received email from this sender. Received a small number of emails - this indicates that you have only received a small number of emails from the sender. Moderate contact - you have received a moderate number of emails from the sender or have had a short 2 way conversation. Significant 2 way conversation - you and the sender have exchanged emails with each other a number of times.
If a user feels that an email has been incorrectly categorized, they can report it for investigation and it may be used to improve Egress Defend's detection capabilities.
These are the more detailed explanations of what Egress Defend found and why the message was deemed suspicious or dangerous. These help provide users with context and teaches them what to look out for in the future.
CALL ME URGENTLY!!
Mon 1/17/2022 11:38 AM
Some text here to always stay on the screen to help users know how to navigate the demo/aid them
In this interactive demo, explore the Prevent Analytics Portal within the Egress Security Center to help quantify incidents prevented as a result of human error or data exfiltration, and analyze risky users across your organization. Click the tool tips and highlighted elements throughout to get more detail.
The contact appears to have the same domain as our user, Joe Bloggs, but the External Email banner tells us to treat this email with caution.
The sender is instructing Joe to download an encrypted messaging app, one that is not sanctioned by IT, with an added time sensitivity. This is highly suspicious.
An increased sense of urgency is a common tactic attackers use to get employees to act without too much forethought. The persistence throughout this message is highly suspicious.
The language used here is subtle, but implies a sense of urgency and credibilty in an attempt to prevent the user from confirming the legitimacy of the email.
*****@egerss.com
Issues with your shipment
deliveries@dhl.com
Mon 1/17/2022 10:17 AM
The user is being instructed to update their account in order to receive this package. Pairing an urgency statement with an action is a common attack tactic to get users to click links or enter sensitive details.
Delivery update emails from couriers like DHL are often expected, especially with shopping frequently being done online. Attackers will try to impersonate couriers as an easy way in.
Not only does this image help the email appear more legitimate, by embedding the image into the email, the URL attached to it may bypass traditional link scanners.
I have explicit images of you.....
Mon 1/17/2022 9:52 AM
By stating that this user has been specifically targeted, the attacker is convincing them that this is personal and is attempting to isolate them, making them more likely to comply.
The subject of this email is an immediate red flag. Fear tactics like these are strong drivers to get users to obey with an attacker's demands, whether they truly have the explicit images or not.
By default, bitcoin addresses are flagged as highly suspicious, regardless of the surrounding email content.
By adding time constraints, attackers are trying to prevent users from confirming a sender's identity or alerting proper authorities, and pressures them to make emotionally-charged decisions - in this case, acquiescing.
In case the admittance to being a cybercriminal wasn't evidence enough of a phish, the topic of money has entered the chat...
...followed by repercussions should Joe not obey the attacker's demands. Financial motivation, attempted manipulation, and time sensitivity are all telltale phishing signs.
RE: URGENT: Invoice for processing
Tony Pepper
Mon 1/17/2022 8:41 AM
Display name impersonation is particularly difficult for users to spot, especially on mobile devices. Additionally, the attacker is posing as the CEO to appear as a trusted and important sender, making the user more likely to engage.
Statements like these are used to make the message and its sender appear more credible. In conjunction with the financial nature of the message, this is highly suspicious.
We see that this person is claiming to be the CEO and that the email has come from Joe's organization, but the External Email banner tells a different story.
Saying the vendor is chasing the invoice helps to drive urgency, and the "ASAP" that follows a few short beats later adds more to the time sensitivity of the task.
This kind of statement attempts to prevent users from confirming if the request is legitimate by other means.
Tony
The sender is using the same display name Tony Pepper as tony.pepper@egress.com, this could be used to trick you into thinking the email is from them.
Peter Parker
Mon 1/17/2022 8:20 AM
This HTML attachment is analyzed and a JavaScript payload was found that has obfuscated the true file type, which is highly suspicious.
The email subject immediately indicates that this is a financial conversation, which is always treated with caution, especially when the email is external.
The email is not only financial in nature but adds a sense of urgency with the time sensitivity. These, combined with language indicative of repercussions, suggests financial phishing.
Since Peter is not a First Time Sender, and there appears to be an existing relationship between him and Joe, many email security solutions will not classify this email as suspicious, even with other indications of phishing.
teams@microsoft.com
Mon 1/17/2022 7:32 AM
The deadline stated in the Teams message adds a sense of urgency, and if Joe doesn't recall seeing this message, he may try to use the link below to access it directly - exactly as the attacker intended.
Attackers will often impersonate well known brands, like Microsoft, to increase their likelihood of tricking the user. Emails like these are treated as highly suspicious.
At first glance, this email seems innocent, but taking a closer look at the 'Reply in Teams' link, we’ll see that it’s redirecting elsewhere.
