Test Cases: Common Terms

Definitions of the email security test cases and attack techniques used in the test suite.

Social Engineering

Social Engineering refers to psychological manipulation techniques used to trick users into taking actions that compromise security. In email security, common techniques include:

  • Display Name Spoofing: Using a display name (the name shown in the "From" field) that differs from the actual sender address, often impersonating trusted entities or internal systems.
  • Internal Message Spoofing: Emails that appear to come from internal systems but originate from external sources.
  • Homograph Attacks: Using Unicode lookalike characters to create domain names or display names that appear legitimate but are actually different.
  • Tool Impersonation: Emails impersonating legitimate software tools or services to trick users into granting access or taking actions.
  • Vendor Request Patterns: Emails using templates that mimic legitimate vendor communications to request sensitive information or actions.
Content Analysis

Content Analysis involves examining the body, links, and structure of emails to detect malicious patterns. Common evasion techniques include:

  • Link Wrapping: Using trusted link-shortening or wrapping services to hide the true destination URL, making malicious links appear safe.
  • Visual Evasion: Techniques that obfuscate text to evade text-based filters, such as matching text color to background, using tiny fonts, or widely spacing characters.
  • QR Code Phishing: Embedding QR codes in emails that redirect to malicious sites, exploiting the fact that QR codes bypass traditional link analysis.
  • AI Prompt Injection: Hidden instructions embedded in email content that could affect how AI email assistants parse or summarize the message.
  • Token Manipulation: Strategically placing words and tokens to bypass text classification systems by making malicious content appear legitimate.
  • Parsing Discrepancies: Exploiting differences in how email clients and security systems parse HTML and CSS to hide malicious content.
  • Suspicious Subject Patterns: Subject lines containing common phishing indicators designed to create urgency or prompt action.
  • Image-Only Content: Emails that rely primarily on images rather than text, making content analysis more difficult.
  • Unicode Subject Lines: Using Unicode characters and emojis in subject lines to evade filters or create confusion.
Attachment Policy

Attachment Policy refers to how email security systems handle different file types and attachment patterns. Common attack vectors include:

  • HTML Smuggling: HTML attachments containing embedded scripts that can download or execute malicious content when opened, bypassing traditional attachment scanning.
  • Nested Attachments: Files embedded within other files to evade detection or bypass file type restrictions.
  • File Type Variations: Using various file types and extensions to test whether security systems correctly identify and filter potentially dangerous attachments.
Header Analysis

Header Analysis examines email headers (metadata) for suspicious patterns or inconsistencies. Common red flags include:

  • High Priority Flags: Emails marked with high priority headers that may bypass normal filtering or create urgency.
  • Reply-To Mismatch: When the Reply-To address differs from the From address, potentially redirecting responses to an attacker-controlled mailbox.
  • Header Manipulation: Various header fields that could indicate spoofing, forwarding chains, or other suspicious patterns.
QR Code Phishing

QR Code Phishing (also called "quishing") embeds QR codes in emails that redirect to malicious websites. This technique exploits the fact that QR codes bypass traditional link analysis since they require scanning with a mobile device. Attackers use QR codes to evade email security filters and create multi-channel attacks that move users from email to mobile browsers, where security controls may be different.

Visual Evasion

Visual Evasion (also called "visual spam evasion") uses formatting tricks to make malicious text invisible or hard to detect by text-based filters. Common techniques include matching text color to background color, using extremely small fonts, widely spacing characters, or hiding text in HTML comments or CSS. These techniques allow attackers to include trigger words that would normally be caught by filters while making them invisible to human readers.

Display Name Spoofing

Display Name Spoofing occurs when an email's display name (the name shown in the "From" field) differs from the actual sender address. This is a common social engineering technique because many email clients prominently display the display name while hiding or de-emphasizing the actual email address, making it easy to impersonate trusted entities.

Note: These definitions describe common email attack techniques used by threat actors. Understanding these terms helps organizations better understand email security risks and evaluate their defensive capabilities.