Cybriant CTO: Analysis of a Phishing Email

Cybriant CTO: Analysis of a Phishing Email

I recently received an interesting phishing email that I shared with the rest of our company as part of our Internal Security Awareness program.  You might guess that as CTO of a security company I often receive phishing emails (and you’d be right), but this one caught my eye.  This phishing email was interesting for a few reasons:

  1. It made it past Microsoft’s ATP (Advanced Threat Protection) anti-phishing service in Office 365.
  2. It had a valid SPF record (no DKIM or DMARC).
  3. The phishing link had a clever URL encode redirect.

So, let’s take a look at the email:

There were several factors that tipped me off that things were amiss: 

  • I have never seen a similar voicemail email.
  • We don’t do business with any company named Alarmtech (looking at the email address).
  • We definitely DON’T do any business with any company named Alarmtech that has a Polish TLD (the “.pl” of “alarmtech.pl” domain in the email address).
  • The “local Wireless User” phone number was also odd.

So, I decided to take a look at the message’s full headers.

I was quite surprised to see that the email had a valid SPF record, and while it was unfortunate to see that a DKIM was not setup it is fairly common for less sophisticated admins to omit this type of email authentication.  This also explains part of why Office365 gave a phishing email a pass instead of convicting the email.

And, a quick check with MXToolbox confirmed that the SPF record was indeed valid.

Ok, at this point I was even more curious.  So, I copied the link for the “Play Record” button and utilized www.o365atp.com to de-obfuscate the link.  Bingo!  We’ve got something interesting!

Now, we have the de-obfuscated link (Office365 ATP uses a technology called Safe Links as an extra layer of protection).





If you notice, the URL begins with http://www.google.com.mx/url?q= this is a clever way to have Google (in this case it’s the Mexico link for Google as it has a TLD – top level domain – of “.mx”) to redirect to the actual malicious website address, which is:




Yes, that is a valid FQDN and URL.  And, this is the other part of the reason why I believe that this phishing email made it past Office365’s ATP service.  It’s using a method called URL encoding.  URL encoding allows you to do things such as create spaces in a filename.  For example, the following two bullet point links would point to the exact same URL (Note:  I used a random domain name):

phishing email

The “%20” is the URL encoded value for a space “ “.  There are some genuine uses for URL encoding, and it is especially helpful when creating scripts or working with APIs.  For example, when dealing with APIs in our SOC (Security Operations Center) this is often how we have to get around restrictions such as using an “@” in a username.  Instead of user@cybriant.com it’d be: user%40cybriant.com

So, let’s de-obfuscate the link using https://urldecoder.org:




There we have the REAL link.  Next, we’ll explode this link in Joe Sandbox to see it’s behavior.  Click on the following link to see the full Joe Sandbox analysis, and see what our SOC would discover if they were performing this for a customer.  I’ll give you a hint, it turns out it’s malicious:



When I first exploded the URL decoded link Joe Sandbox didn’t find anything interesting.  And so, the second time I utilized the link that was a google.com.mx referrer link.  When using the referring link Joe Sandbox determined that the final destination URL was indeed malicious.  In short, the bad actor built a check into their website to ensure that the full link was being used (confirmed by seeing Google.com.mx referring the user to the phishing website).  Pretty spiffy thinking on their part! 

Andrew Hamilton

Andrew Hamilton


Andrew Hamilton is a member of the executive management team of Cybriant, a leader in the cybersecurity services industry. As CTO he is responsible for the technical vision and the delivery of services at Cybriant. Since its founding in 2015, Andrew has led the selection, evaluation, and adoption of all security technology and tools utilized by Cybriant in the delivery of its managed security services.

Learn more about Cybriant’s Continuous Threat Detection & Remediation Services: http://cybriant.com/pretect

FREE TOOL: Your users are “Phish-Prone”

FREE TOOL: Your users are “Phish-Prone”

91% of successful data breaches started with a spear-phishing attack? Attackers go for the low-hanging fruit: humans.

Cybriant’s partner, KnowBe4,  just completed a big-data analytics exercise over their 15,000 customers and came up with new baseline phish-prone percentages, and how fast it drops over time. To say the least, the numbers are very interesting, and this time they also broke them out by industry and size, showing the most at-risk industries. View on-demand webinar here. 

First of all, you need to know your organization’s phish-prone percentage. We offer a phishing security test through KnowBe4.  This free tool will test up to 100 users and will give you a PDF with your phish-prone percentage and charts to share with management.

Why? If you don’t do it yourself, the bad guys will. 

Here’s how it works:

  • Immediately start your test for up to 100 users (no need to talk to anyone)
  • Customize the phishing test template based on your environment
  • Choose the landing page your users see after they click
  • Show users which red flags they missed, or a 404 page
  • Get a PDF emailed to you within 24 hours with your Phish-prone % and charts to share with management

IT pros have realized that simulated phishing tests are urgently needed as an additional security layer. Today, phishing your own users is just as important as having antivirus and a firewall. It is a fun and an effective cybersecurity best practice to patch your last line of defense: USERS

How does your “Phish-prone” percentage compare to others in your industry? Watch the on-demand webinar to find out: https://www.cybriant.com/2018/01/on-demand-webinar-phishing-attack-landscape-and-benchmarking/

The Phish-prone percentage is usually higher than you expect and is great ammo to get budget.

Start phishing your users now. Get started immediately!


Find Out Your Phish Prone Percentage

Cybriant in the News: PREtect Spotlight

Cybriant in the News: PREtect Spotlight


UPDATE: PREtect has been rebranded to CybriantXDR. Read more here: https://cybriant.com/cybriant-xdr/

Cyber security has been deemed as one of the biggest concerns for small businesses owners when it comes to protecting their digital assets. Cybriant is a holistic cyber security service startup which enables small and mid-size organizations to deploy and afford the same cyber defense strategies and tactics as the Fortune 500.

Their product suite, PREtect, contains 5 cyber risk management solutions designed to optimize the protection of data assets and the detection of malicious events by addressing the most common vulnerabilities in the enterprise. Utilizing leading technologies and seasoned security expertise, Cybriant delivers an affordable solution which addresses the most common yet challenging structural and operational security vulnerabilities. The services include: Comprehensive security monitoring with continuous, actionable threat intelligence; detect and deploy missing patches in one’s system; detect, identify, and contain advanced threats before they cause damage; full executive reporting with consistent detection and identification of vulnerabilities; and a Security Awareness Training and Simulated Phishing platform that will keep a company’s employees trained, with security top of mind. Any business, small or large is vulnerable today.

Read original article: https://tech.co/startup-spotlight-biometrics-car-grunt-work-2017-11

Cybriant Launches Managed Cybersecurity Awareness Training Service; focuses on Real Estate Industry

Cybriant Launches Managed Cybersecurity Awareness Training Service; focuses on Real Estate Industry

August 9, 2017 – Alpharetta, GA – Cybriant announced today that it has launched a new service that offers Managed Cybersecurity Awareness Training. Cybriant plans on initially focusing on the real estate industry for this managed service.

The real estate industry is under attack from cybercriminals. Wire Fraud, Email Phishing, Texting Scams and Social Media scams that target independent real estate agents are causing real estate firms as well as potential home owners to lose money.

Cybercriminals have targeted the real estate industry because of the amount of personal and sensitive information that is created, stored, used, and shared between real estate agents, brokers, property managers, closing attorneys, mortgage banks, title companies, and more.

Cybriant’s Managed Cybersecurity Awareness Service helps organizations implement a fully mature security awareness training program. The program will provide baseline testing, user training, simulated phishing attacks, and management reporting.

“Employees are either a weak link in the security chain or a trip wire for your defense,” said Jeff Uhlich, CEO of Cybriant. “Our cybersecurity awareness training service helps meet three requirements for a well-rounded program – awareness, education, and ongoing training. We help strengthen your human firewall.”

For more information, go to https://www.cybriant.com/cybersecurity-awareness-training/.

About Cybriant

Cybriant assists companies in making informed business decisions and sustaining operational effectiveness in the design, implementation, and management of their cybersecurity programs. We deliver a comprehensive and customizable set of strategic and adaptive cybersecurity services which address the entire security landscape. These services include assessment and planning, testing and hunting, SIEM management and security monitoring, perimeter and endpoint protection, and secure cloud networking. Cybriant also delivers support services for the secure maintenance, relocation, and disposition of physical and data assets. We make enterprise grade cyber security services accessible to the Mid-Market and beyond. For more information, go to www.cybriant.com

Managed Cybersecurity Awareness Training Service