Detecting Phishing Attacks with Shadow IT Discovery

Detecting Phishing Attacks with Shadow IT Discovery

Phishing attacks need no introduction, so we will skip the part where we discuss how relevant and scary they are. They often come in pair with stolen credentials, which is the aim of a large portion of phishing attacks in the first place. And stolen credentials lead to breaches that seem to be contained at a very slow pace compared to other attack vectors, according to IBM. After all, it’s more challenging to detect when an attacker can impersonate someone using legitimate credentials.

Anti-phishing solutions have one thing in common, they are only capable of preventing phishing attacks if they recognize them. Similar to an IPS or a firewall, email filtering and web filtering solutions have a one-off chance to block dubious content and prevent employees from visiting phishing sites. If they fail, the organization is at the mercy of their employee’s vigilance. With so much social and public information out there, crafting a spear-phishing email to trick even seasoned professionals to click is only a matter of time, not chance.

Blacklists seem to be very ineffective due to the scattered nature of the web, very similar to spam filtering, where no “one-true-blacklist” exists for all to go by. In a recent research, a sample of almost 100 thousand phishing domains was collected from four independent sources. However, only 2 percent of the whole list was covered by all four providers, meaning you should try to rely on as many sources for detection as possible.

There is one great indicator that is very easy to asses though, and that is the domain age. The above report indicates that 45% of phishing domains are flagged within just 14 days of registration.


This makes complete sense when combined with the above statistic, as new domains are less likely to make it to the blacklist within a few days. In fact, 57% of malicious domain registrations are utilized within only three days, quicker than payment providers or hosting services may detect fraud.

This aligns with another research by the Anti Phishing Working Group that found three-quarters of the phishing domains detected were less than three months old.

But this indicator alone is not sufficient, especially as remote working has changed how web traffic can be filtered for employees – if at all…

Phishing has multiple types and targets, but one of the most obvious and nasty types is credential stealers. They send a fake link to a fake site proposing a password reset or asking for login for any reason. As soon as the credentials are entered, attackers gain access to potentially critical accounts. Of course, MFA can soothe the pain, but that is no magic cure either.

Once attackers get hold of credentials, they immediately start to try utilizing them. In fact, according to Agari’s research, stolen credentials are already being validated within 12 hours of the successful phishing compromise.

So How Does Phishing Detection Differ From Prevention?

Once employees provide credentials, prevention has failed, and detecting fraudulent access to cloud-hosted environments with legitimate credentials is already tricky, not to mention business email compromise and other socially engineered attack vectors. But there is a silver lining, as none of the network or email-based solutions can detect the most critical step in a successful attack: when the employee enters their credentials.

Scirge monitors corporate email and password usage via its unique Shadow IT discovery capabilites, and thus a new account on an unknown URL can immediately raise alarms. URLs for humans may be deceptive, but cold-hearted algorithms will detect if it differs from the domains previously used with the same credentials. Public domain-age information is also immediately available to correlate if the domain was registered recently.

On top of all, the fingerprinting of passwords (using one-way secure hashes) allows Scirge to identify which exact account was compromised within a few seconds. In case an LDAP, AD or other high impact credential was provided on a new domain, password reset and warnings to employees can be issued immediately.

Detecting phishing attacks that were not prevented by email filters, network traffic filtering or via user awareness is the last line of defense that could and should be added on top of every other layer. Similar to NDRs, EDRs and XDRs watching for compromised networks, Scirge adds phishing detection on top of other existing preventive measures.

About Scirge

Scirge provides a unique approach to unveil and gain control over unmanaged third-party web accounts. Scirge tracks the websites employees use corporate email addresses to register on and log in to. Having a central dashboard of discovered accounts helps to reduce the risk of credential-related threats such as password reuse or account takeover (ATO). Scirge gives a level of control over SaaS usage to overcome Shadow IT. It also helps to ensure that your company complies with GDPR, CCPA, and other audit requirements.