Social Engineering Attack Log Details

Trend Micro Email Security provides detailed information for email messages detected as possible social engineering attacks. To view social engineering attack details, click the Details link beside Social engineering attack on the Mail Tracking Details screen.

The following table lists the possible reasons for social engineering attack detections.

Table 1. Possible reasons for social engineering attack detections

Email Characteristics

Description

Inconsistent sender host names

Inconsistent host names between Message-ID (<domain>) and From (<domain>).

Broken mail routing path

Broken mail routing path from hop (<IP_address>) to hop (<IP_address>).

Mail routing path contains mail server with bad reputation

The mail routing path contains mail server with bad reputation (<IP_address>).

Significant time gap during email message transit

Significant time gap (<duration>) detected during email message transit between hops (<source> & <destination>) from time (<date_time>) to time (<date_time>).

Inconsistent recipient ‚Äčaccounts

Envelope recipient (<email_address>) is inconsistent with header recipient (<email_address>).

Possibly forged sender account or unexpected relay/forward

Possibly forged sender account (<email_address>) is sending email messages via host/IP (<host_address>) of which ASNs (<ASN_list>) are inconsistent to sender ASNs (<ASN_list>); or unexpected server-side relay/forward.

Email message travels across multiple time zones

The email message travels across time zones (<time_zone_list>).

Possible social engineering attack characterized by suspicious charsets in email entities

Suspicious charsets (<character_set_list>) are identified in a single email message, implying the email message originated from a foreign region. This behavior is an indicator of a social engineering attack.

Violation of time headers

Multiple time headers (<date_time>, <date_time>) exist in one message, which violates RFC5322 section 3.6.

Possibly forged sender (Yahoo)

The email message claimed from Yahoo (<email_address>) lost required headers.

Executable files with tampered extension names in the attachment

Executable files in compressed attachment (<file_name>) intend to disguise as ordinary files with tampered extension names.

Anomalous relationship between sender/recipient(s) related email headers

Anomalous relationship between sender/recipient(s) related email headers (<email_address>).

Encrypted attachment intends to bypass antivirus scan engines

Encrypted attachment (<file_name>) with password (<password>) provided in email content possibly intends to bypass antivirus scan engines.

Email attachment could be exploitable

Email attachment (<file_name>) could be exploitable.

Email message might be sent from a self-written mail agent due to abnormal transfer encoding in email entities

Content-Transfer-Encoding (<encoding_type>) is abnormal in the email message. The email message might be sent from a self-written mail agent.

Few meaningful words in the email message

The email message is less meaningful with only few characters in its text/HTML body (<character_count>).

Possible email spoofing

The email message was claimed as a forwarded or replied message with subject-tagging (<email_subject>), but the email message does not contain corresponding email headers (RFC 5322).

Email message travels across multiple ASNs

The email message travels across multiple ASNs (<ASN_list>).

Email message travels across multiple countries

The email message travels across multiple countries (<country_code_list>).

‚ÄčAbnormal Content-type behavior in email message

Content-type in email content should not have attributes (<attribute_list>).

Executable files archived in the compressed attachment

Executable files archived in compressed attachment (<file_name>).

Exploitable file types detected in the compressed attachment

Exploitable file types detected in compressed attachment (<file_name>).

Sender account header potentially modified

The email message was sent from an email client or service provider (<user_agent>) that allows modification of the sender address or nickname.

Conversation history in email body

The email message includes a conversation history between (<email_account>) and (<email_account>). This email message may be part of a man-in-the-middle attack.

Internal message with a disguised reply-to domain

The reply-to domain (<domain_name>) has been disguised to be similar to the sender and recipient domains (domain_name). The email message may be disguised to appear internal.

Internal message with a public reply-to domain

The reply-to domain (<domain_name>) belongs to a public messaging service but the sender and recipient domains are the same (<domain_name>). The email message may be disguised to appear internal.

Nickname of company executive with public domain address

The sender header (<sender_header>) contains a nickname that appears to be a company executive and an email address from a public messaging service.

Reply-to account disguised to be similar to sender account

The reply-to account (<email_account>) uses a different domain but similar information to the sender account (<email_account>) to disguise the two accounts to be from the same individual.

Sender account possibly associated with targeted attacks

The sender account (<email_account>) has been associated with one or more targeted attacks or performed behavior consistent with targeted attacks.

Sender domain disguised to be similar to recipient domain

The sender domain (<domain_name>) is different but similar to the recipient domain (<domain_name>). The email message may be disguised to appear internal.

Sender host name possibly associated with targeted attacks

The sender host name (<host_name>) has been associated with one or more targeted attacks or performed behavior consistent with targeted attacks.

Sender IP address possibly associated with targeted attacks

The sender IP address (<ip_address>) has been associated with one or more targeted attacks or performed behavior consistent with targeted attacks.