Polymorphic phishing is an advanced form of phishing that randomizes components of an email, creating many subtly different versions of the same attack. The aim is to bypass email filters that rely on blacklists or signature-based detection, as if an element of an email is identified as malicious, that element will be different in other versions of the attack and not recognized.
Without advanced detection tools, polymorphic attacks are hard to defend against. Even if one version of the attack is detected, variations may reach employees’ inboxes. These attacks are increasingly common thanks to automation methods included in phishing kits sold on the crime-as-a-service marketplace.
In a nutshell, polymorphic attacks are easy to create and hard for signature-based detection software to spot.
Are polymorphic phishing attacks new?
No, but they have evolved. Polymorphic phishing attacks have been around since 2016, which is practically an age ago in cybersecurity terms. The method was originally used to automatically generate thousands of URLs with only slight differences, either by generating a new link for each malicious email or using services such as URL shorteners which will generate a new link URL.
The idea was that traditional software that relied on scanning blacklists for suspected malicious URLs wouldn’t be able to keep up. Polymorphic phishing has become more advanced in recent years, with cybercriminals looking for more ways to evade modern signature-based detection software.
How do polymorphic phishing attacks work?
Today, polymorphic phishing attacks are more sophisticated in how they avoid email security tools. Attackers no longer just send out unique URLs, but they change the characteristics of all elements of an email – subject lines, headers, from address, return address, signatures, and body content. Each phishing email the attacker sends will change often just one element, making each attack subtly unique.
Signature-based detection software works by generating unique hashes for each email, which are saved in a database and then compared to future emails. If a hash matches a previous malicious email, the tool will know the email is malicious and it will be blocked.
Polymorphic phishing attacks slightly change elements of the email in an effort to avoid this detection and stop security tools from blocking the email. These changes can be either random or intentional, depending on the nature of the attack. Even many of the cheapest phishing kits that we see available online now have built-in automated polymorphic phishing capabilities.
How does a polymorphic attack play out?
Polymorphic attacks are highly effective at evading Secure Email Gateways (SEGs) and native cloud email security that relies on blacklists or signature detection. Attackers only need one of their slightly different emails to get through. However, sending hundreds or thousands of emails at once could still trigger an organization’s spam filter, even with the polymorphic changes.
More sophisticated attackers will first attempt to compromise an internal account through account takeover. They might do this through sending a targeted spear phishing email in an attempt to get hold of login credentials. From there, polymorphic phishing attacks can be spread internally through an organization. Polymorphic attacks sent from a trusted internal account can be very difficult for security teams to contain, especially if more trusted accounts become compromised.
Can polymorphic phishing attacks be prevented?
To defend against polymorphic phishing, organizations can’t solely rely on signature-based detection. These attacks can be extremely sophisticated, meaning they can typically bypass most anti-phishing tools and secure email gateways (SEGs). An ICES solution is needed to augment existing defenses and apply a zero-trust approach to all inbound emails.
Tools such as Egress Defend analyze the content and context of every email before it reaches the recipient – so it doesn’t matter how many subtle changes attackers make to their emails, or where the attack has originated from. Machine learning, social graph, and natural language processing technologies combine to detect the building blocks of a phishing email, regardless of whether it’s a slight variation of another attack, or one that’s never been seen before.