Most impersonated brands in email attacks? Microsoft and Amazon

Nearly two-thirds of all advanced email attacks used emails impersonating Microsoft or Amazon, according to new research by Agari.

Microsoft was impersonated in 36 percent of all (brand) display name impersonation attacks in the third quarter. Amazon was the second most commonly impersonated company, used in 27 percent of these attacks. Amazon and Microsoft run the largest public cloud computing platforms, which are widely used by companies undergoing digital transformation projects.

The pattern was different for high-value targets, such as C-suite executives—Microsoft was impersonated in 71 percent of these attacks. Dropbox is a distant second at seven percent, followed by UPS at six percent.

These attacks often take the form of service updates, security alerts and password resets. The ubiquity of Microsoft Office in corporate environments and the rapid adoption of cloud-based Office 365 makes Microsoft an attractive impersonation target, while file-sharing services such as Dropbox are frequently imitated to distribute malware because users are more likely to trust its installation.

According to the FBI, business email compromise (BEC) has become a $12 billion scam. Advanced email attacks, such as BEC, leverage identity deception techniques, including domain name spoofing, look-alike domains and display name deception to take advantage of end-user trust. Legacy email security solutions, such as secure email gateways (SEGs), are unable to detect advanced email attacks because they do not include malicious URLs or malware attachments—the attacks Agari identified in its Q4 2018 report evaded detection by other email security solutions.

Agari’s new report reveals that 62 percent of advanced email attacks leverage display name deception: 54 percent impersonate trusted brands and eight percent impersonate individuals. On the other end of the spectrum—yet alarmingly—three percent of identity deception-based attacks are sent from compromised email accounts commandeered through account takeover (ATO) attacks.

The intersection of display name deception and ATO attacks is revealed by the fact that Microsoft and Amazon are the most impersonated brands in digital deception-based attacks. The risk is that a successfully compromised Office 365 or AWS account may be used to launch subsequent attacks that are even harder to detect.

Email authentication adoption on the rise

Domain-based Message Authentication, Reporting and Conformance (DMARC) is an open email authentication standard that prevents domain name spoofing from being used in phishing or spam. Agari’s Q4 2018 “Email Fraud & Identity Deception Trends” includes the broadest analysis of DMARC adoption ever conducted—more than 280 million registered public domains.

In 2017, Agari research determined that only one-third of the Fortune 500 had adopted DMARC, with less than ten percent enforcing a quarantine or reject policy. Agari’s new research now reveals that more than half—51 percent—have adopted DMARC, although still only 13 percent are enforcing a quarantine or reject policy.

Additionally, in an examination of more than 280 million domains, Agari witnessed an increase in DMARC adoption from 3.5 million domains in July 2018 to 5.3 million domains in October 2018, representing a 51% percent increase in one quarter.

This increased adoption coincided with the approaching (and now final) deadline for the Department of Homeland Security Binding Operational Directive (BOD) 18-01, which mandates all federal executive branch domains must adopt DMARC and implement a reject policy. The United States federal government now leads all industry verticals with an 84 percent DMARC adoption rate—more than three-quarters of federal domains (76 percent) have implemented a reject policy.