Mail Impersonation – Recognizing Mail Phishing Attacks


The Security Threat:

Mail impersonation is among the most prevalent and successful cyber attacks in today’s digital landscape. This type of attack can be classified into two main categories: phishing and mail impersonation.

Phishing attacks aim to steal credentials by impersonating legitimate login pages, tricking users into revealing their passwords and sensitive information.

On the other hand, Mail impersonation attacks involve creating email communications that appear to be regular interactions between an organization and a vendor. These deceptive emails often lead the organization’s employees to disclose classified information or transfer money to attackers unknowingly.

Cyray’s Solution:

At Cyray, we employ a combination of ArcSight and our proprietary mechanism to identify various types of mail attacks and tailor our solutions to meet each customer’s specific needs.

Outlined below are some examples of our recognized methods:

Phishing Scenario: We assess the similarity between the email domain and the organization’s domain. If the similarity rate exceeds a predefined threshold, we trigger the corresponding rule in ArcSight.

Organization DomainsIncoming DomainsSimilarity Rate

Impersonation Scenario: We compare the name of the email recipient with the full name of the organization’s users. We evaluate the similarity rate based on the full name or a part of it, taking into account cases where a person has a middle name.

Organization User Full NameIncoming Mail User’s NameSimilarity Rate
Wolfgang Amadeus Mozartmozart.amadeus 100
Wolfgang Amadeus Mozartwolfgang_amadeus100
Wolfgang Amadeus Mozartlake.amadeus50

By analyzing and correlating these similarity rates, we provide our customers with a comprehensive and dependable assessment of mail attacks on their organization.

We do not disclose the specific technical methods or algorithms we employ for security reasons. However, we offer these scenarios to our customers, enabling them to understand our approach better.

If you are interested in integrating this mechanism or exploring other specialized solutions for your organization, please feel free to contact us.

More to explorer

New Deployed Rules

Process CreationSuspicious Execution Location Of Wermgr.EXEPotential CVE-2023-36874 Exploitation – Fake Wermgr ExecutionNetwork Reconnaissance ActivityNode Process ExecutionsNslookup PowerShell Download Cradle – Process CreationSuspicious

New Deployed Rules

Account ManagementOutgoing Logon with New CredentialsRottenPotato Like Attack PatternScanner PoC for CVE-2019-0708 RDP RCE Vuln File EventWebDAV Temporary Local File CreationSCR File

New Deployed Rules

Process CreationMMC20 Lateral Movement Process CreationMMC Spawning Windows Shell Process CreationPotential Arbitrary Command Execution Using Msdt.EXE Process CreationSuspicious MSDT Parent Process Process

Sign up for our newsletter

Time to market

One-day SIEM integration