Social Engineering Attack Log Details

Trend Micro Email Security provides detailed information for email messages detected as possible social engineering attacks. To view social engineering attack details, click the Details link beside Social engineering attack on the Mail Tracking Details screen.

The following table lists the possible reasons for social engineering attack detections.

Table 1. Possible reasons for social engineering attack detections

Email Characteristics

Description

Inconsistent sender host names

The Message-ID host name (<host_name>) does not match the From host name (<host_name>).

Broken mail routing path

Broken mail routing path from hop (<IP_address>) to hop (<IP_address>).

Mail routing path contains mail server with bad reputation

The mail routing path contains mail server with bad reputation (<IP_address>).

Significant time gap during email message transit

Significant time gap (<duration>) detected during email message transit between hops (<source> & <destination>) from time (<date_time>) to time (<date_time>).

Inconsistent recipient ​accounts

Envelope recipient (<email_address>) is inconsistent with header recipient (<email_address>).

Inconsistent sender ASNs or unexpected relay or forward

The sender host (<host_address>) belongs to an ASN (<ASN>) that does not match the ASN (<ASN>) of the sender account (<email_address>). This message may occur from an unexpected server-side relay or forward.

Email message travels across multiple time zones

The email message travels across time zones (<time_zone_list>).

Possible social engineering attack characterized by suspicious charsets in email entities

Suspicious charsets (<character_set_list>) are identified in a single email message, implying the email message originated from a foreign region. This behavior is an indicator of a social engineering attack.

Violation of time headers

Multiple time headers (<date_time>, <date_time>) exist in one message, which violates RFC5322 section 3.6.

Malicious client IP address

The client IP address (<IP_address>) has been associated with known malicious activity

Possibly forged sender (Yahoo)

The email message claimed from Yahoo (<email_address>) lost required headers.

Executable files with tampered extension names in the attachment

Files in compressed attachment (<file_name>) may be executable files with modified extension names.

Anomalous relationship between sender/recipient(s) related email headers

Anomalous relationship between sender/recipient(s) related email headers (<email_address>).

Encrypted attachment intends to bypass antivirus scan engines

Encrypted attachment (<file_name>) with password (<password>) provided in email content possibly intends to bypass antivirus scan engines.

Exploitable attachment

The attached file (<file_name>) may contain exploits.

Email message might be sent from a self-written mail agent due to abnormal transfer encoding in email entities

Content-Transfer-Encoding (<encoding_type>) is abnormal in the email message. The email message might be sent from a self-written mail agent.

Short message body

The body text or the HTML text of the email is short. The text length (<character_count> characters, for body text/HTML text respectively) may suggest that the email content has little meaning.

Replied or forwarded email contains no corresponding headers

The email message was claimed as a forwarded or replied message with subject-tagging (<email_subject>), but the email message does not contain corresponding email headers (RFC 5322).

Email message travels across multiple ASNs

The email message travels across multiple ASNs (<ASN_list>).

Email message travels across multiple countries

The email message travels across multiple countries (<country_code_list>).

​Abnormal Content-type behavior in email message

Content-type in email content should not have attributes (<attribute_list>).

Executable files archived in the compressed attachment

The compressed attachment (<file_name>) contains executable files.

Exploitable file types detected in the compressed attachment

The compressed attachment (<file_name>) contains exploitable file types.

Inconsistent host domains or unexpected relay or forward

The sender host (<host_address>) belongs to a different domain from the sender account (<email_address>). This message may occur from an unexpected server-side relay or forward.

Email nickname is inconsistent with email address

The recipient account uses an email nickname (<nickname>) that is inconsistent with its email address (<email_address>).

Sender account is inconsistent with reply-to account

The sender account (<email_account>) is inconsistent with the reply-to account (<email_account>).

Sender host name possibly associated with targeted attacks

The sender host name (<host_name>) has been associated with one or more targeted attacks or performed behavior consistent with targeted attacks.

Sender IP address possibly associated with targeted attacks

The sender IP address (<ip_address>) has been associated with one or more targeted attacks or performed behavior consistent with targeted attacks.

Sender account possibly associated with targeted attacks

The sender account (<email_account>) has been associated with one or more targeted attacks or performed behavior consistent with targeted attacks.

Sender account header potentially modified

The email message was sent from an email client or service provider (<user_agent>) that allows modification of the sender address or nickname.

Internal email with a public reply-to domain

The reply-to domain (<domain_name>) belongs to a public messaging service but the sender and recipient domains are the same (<domain_name>). The email message may be disguised to appear internal.

Internal email with a disguised reply-to domain

The reply-to domain (<domain_name>) has been disguised to be similar to the sender and recipient domains (domain_name). The email message may be disguised to appear internal.

Reply-to account disguised to be similar to sender account

The reply-to account (<email_account>) uses a different domain but similar information to the sender account (<email_account>) to disguise the two accounts to be from the same individual.

Conversation history in email body

The email message includes a conversation history between (<email_account>) and (<email_account>). This email message may be part of a man-in-the-middle attack.

Nickname of company executive with public domain address

The sender header (<sender_header>) contains a nickname that appears to be a company executive and an email address from a public messaging service.

Sender domain disguised to be similar to recipient domain

The sender domain (<domain_name>) is different but similar to the recipient domain (<domain_name>). The email message may be disguised to appear internal.

Potentially deceptive message header text

Because (<header_text>) closely resembles (<header_text>), this message seems intended to deceive the recipient.

Message contains suspicious content

Some text in the message meets the criteria for the (<category_name>) category, indicating a possible intent to deceive the recipient.

Name of a protected sender used with a suspicious domain

The message uses the name (<sender_name>) in combination with an unfamiliar domain in an apparent attempt to deceive the recipient.