The "Old Email Reply Chain" Trick

Threat Level: Medium
Threat Type: Phishing
Advisory Date: 07/13/2023

Description

Phishing remains a persistent and pervasive threat to all organizations. While the University of Regina has many security measures in place to block unwanted emails, threat actors are always looking for ways to trick you into clicking links and providing personal information.

A resurgence of an old technique has been observed at the University of Regina recently called 'Email Reply Chain Attacks.' What sets this phishing campaign apart is that the body of the email contains a legitimate past email thread that you may have been part of. This is done in an effort to lend credibility to the message and make it look more legitimate. This old email information is typically acquired by a threat actor that has compromised the account of someone on the email trail. The message will typically contain a malicious link or document in hopes you will trust the email enough to click the link or open the document.

What to Look For

As with all other types of phishing emails, there are signs to look for:
  • Check the date of the email thread. If it is old, it is likely not legitimate.
  • It is confusing to be added to an old email thread. This is the desired effect threat actors are seeking.
  • In this case, the messages claimed to be from someone at the University but were sent by an external sender.
  • Never open attachments from unknown senders. Because the email thread is hijacked, the sender is unknown.
  • Be cautious of any email you receive with a warning banner attached (i.e. indicating it is from an external source).
  • Always check the sender's email address to ensure it matches the organization from which it claims to be sent from.
  • Be wary of urgent requests for personal information or to perform a task with severe or unrealistic consequences for inaction.
  • Hover over any embedded links or URLs in the message to ensure they lead to a legitimate and expected location
  • Watch for spelling and grammar errors evident in the email.

Impact

Theat actors send malicious links and attachments through email.

Should you click a link you may divulge more information than you realize, or even your password.

Should you open an attchment, you may be installing malware.

Resolution

If you receive a phishing email: please 'forward as attachment' to Report.Phishing@uregina.ca.

If you are concerned about the security of your account after receiving a phishing message, you can take the following actions:

  • Change your password. https://novapp.cc.uregina.ca/perl/chpass.pl
  • Choose a password that is:
    • Completely different than your previous password.
    • Not used anywhere else.
    • Does not contain your previous password.
  • Check your account for email forwarding and mailbox rules.

Resources

Please contact the IT Support Centre if you have any questions or require assistance:

Email IT.Support@uregina.ca

Phone 306-585-4685

Webform https://www.uregina.ca/is/forms/ticket.html

In person at ED 137 or Archer Library Commons

Take cyber security awareness training available to all faculty and staff on Beauceron - https://www.uregina.ca/is/security/training/training-register.html

External links

https://www.sentinelone.com/blog/email-reply-chain-attacks-what-are-they-how-can-you-stay-safe/