How does it work?
Highly targeted phishing attacks such as spear phishing, whaling attacks and business email compromise (BEC) are trickier to spot as they don’t rely on sending a mass of emails to lots of people in your organization. Instead, they’re a single email socially engineered to look and sound like a familiar contact making a regular business request, making it much harder to spot and even less likely to be reported.
What could go wrong?
With OnINBOX in place, if the CFO were to receive an email from a cybercriminal impersonating the CEO requesting a large wire transfer to be made urgently to a fake account, this would be flagged by OnINBOX. OnINBOX’s indicators will warn the user by showing the recipient a red indicator for Authentication, letting them know that this person isn’t who they say they are. Additionally, OnINBOX Manager means security teams won’t have to solely rely on the CFO reporting this email, as their inbox can be checked for risk over any period of time.
Spot the risks in the inbox of highly targeted individuals in 3 steps
Search for a highly targeted employee.
Reveal the domains that might already have been spoofed
Investigate if this employee has been compromised without knowing it
1. Search for a highly targeted employee
At the top of the Supply Chain dashboard in the top toolbar labeled Current View, select the search bar as shown below:
Enter the email address for the person of interest, such as an executive or head of Accounts Payable as demonstrated below:
You’re now seeing the security data from all emails scanned by OnINBOX over the time frame selected at the top of your dashboard. This includes:
A graph of email traffic in the History panel.
A Network [DMARC] graph with domains colour coded by DMARC status.
At the bottom of your dashboard an All Traffic table with the same domains in a list view has the number of emails received and average scores for Authentication, Content and Trust. This also includes a TLS score and a small clickable graph with email traffic specific to this sender.
2. Reveal the domains that might already have been spoofed
Remember, by default the data shown is always the last 30 days unless you’ve adjusted the time frame at the top of your dashboard. We’re now going to filter these results to show those senders in this person’s communications network that are failing Authentication, which means OnINBOX cannot verify that they actually are who they say they are - so they may have already been spoofed!
At the top of the dashboard in your Current View toolbar please select Authentication to specifically filter the data for these results. Now scroll down to the Network [Authentication] graph and filter by "0 to 25" to reveal the domains scoring the lowest for Authentication.
You now have a visual of this user’s communications network and the connections that are high risk as they may have already been spoofed which can easily put the CFO at risk of being compromised without knowing it.
3. Investigate senders that could compromise this user.
You can use the Network [Authentication] graph and prioritise the domains failing Authentication and sending the most emails by reviewing the biggest bubbles in this graph.
Alternatively, by scrolling down to the All Traffic table you’ll have a list view of all domains included in the graph above. Here’s how we recommend you use this information:
Start by checking to see if any of your suppliers are on this list and putting this employee at risk.
Try to spot any unusual behaviors such as an unfamiliar company with a high email volume.
To investigate further, each organization will have its own individual security protocol to follow. Looking into any specific email content isn’t available from OnINBOX because we understand how important it is that your personal email data remains private and secure. Therefore, we only store aggregated information and do not store the email itself. To review email content from suspicious senders using the internal tools from your email service provider. For example, G Suite administrators can audit user’s emails.