2

We make phishing campaigns to our users with Lucy Security. The emails include a link to a landing page. When clicked, stats are sent to our phishing platform that include which user clicked, when, and from which IP.

We whitelisted Lucy Security's server IP in our anti-spam (Defender 365) so that spam confidence is set to -1, attachments and links are not checked, etc. Thus far we don't get much clicks from Microsoft IPs.

The problem is that we get clicks from IPs belonging to Google Fiber, Amazon, Verizon, and a bunch of other telecom companies in the US I've never heard of (we're in Canada). All of those IPs are in the US. How is that possible?

What I feel should be happening is this:

  1. Lucy sends emails from its internal server to our Exchange mailboxes (hosted with Microsoft 365)
  2. The emails make a couple of hops within Microsoft
  3. All anti-spam measures that we whitelisted are skipped
  4. Emails are delivered in our mailboxes

That is exactly what seems to be happening when looking at the headers of Lucy emails I received, and yet we get clicks from some local ISP in the US.

Couple of notes:

  • I spoof addresses when making those phishing emails. The spoofed address is put in the From header as well as in the Return-Path header. I do get more unwanted clicks when spoofing an address from a well-known domain (e.g. protonmail.com) than a random one.
  • We don't have off-site workers, i.e. all our users are behind our one public IP.

What I am not getting here? How are those emails being clicked (by what appears to be anti-spams) somewhere in the US? Does someone have an idea of where to start looking to solve this? Let me know if you need more info.

SenseiRalph
  • 47
  • 6
  • 3
    The most sound explanation for me is that at least some of your employees forward emails to their personal accounts and click the links from home, possibly using VPNs which terminate in the US. Or you have some malware at least at some of your systems which sends data somewhere else and it is checked there. But that's just wild guess and both of them sound bad for your company. – Tomek Oct 28 '22 at 18:10
  • Maybe they send it to a public directory like virustotal.com and its subscribers access the URL a couple more times. – anx Oct 28 '22 at 19:29
  • Please update with any findings as this information could be helpful to others. – stark Nov 04 '22 at 13:20
  • I will update my post as I find more info, but for now I'm still searching for possible cause(s). – SenseiRalph Nov 07 '22 at 13:19

1 Answers1

2

Your users wouldn’t be the first to forward copies of their company email to a private address.

(For example to more easily manage/integrate their calendar with their phone, to get notifications away from their desks, to share their calendar with family members and of course to read mail in the native app on their phone.)

What happens after is obviously beyond your control.

The "clicks" you register may then easily originate from diverse sources such as:

  • your users mobile networks
  • any WiFi points your users access at home and elsewhere
  • their own or their provider's (cloud based) security tools testing to see if the links detected need to be considered malicious and should be blocked
  • indeed actual clicks by recipients.

On such effect for example is the privacy protection measures introduced by Apple in macOS Monterey and iOS 15. See https://support.apple.com/guide/mail/use-mail-privacy-protection-mlhl03be2866/mac or https://support.apple.com/guide/iphone/use-mail-privacy-protection-iphf084865c7/ios

Those work among others by using a network of randomly assigned IPs to act as proxies when (pre-)loading (amongst other things) email content.

That would handily explain why you can get clicks on those e-mail links from unlikely IP-addresses.

What are the IP ranges of Apple's privacy protection proxies?

diya
  • 1,771
  • 3
  • 14