Phishing continues to be one of the top attack vectors behind breaches, according to the latest Verizon Data Breach Investigations Report. Sending ten phishing emails to an organization yields a 90% chance that company credentials are compromised. Phishing is often the first step in the attack chain, opening an organization to stealthy credential-based attacks that allow intruders to exfiltrate confidential data. InsightIDR now detects targeted spear phishing attacks, even ones that have never been seen before. This extends InsightIDR's existing ability to detect compromises throughout the attack chain.

Targeted attacks often use phishing sites with domains that are spelling variations close to the target company's own domain (e.g. www.rapid7.com vs. www.rapld7.com). Embedded in the context of a seemingly legitimate business email, these are very difficult for busy end users to detect. A targeted spear phishing email can look as if it's coming from a trusted colleague, embedding a slightly misspelled link in the body that links to a malicious website. InsightIDR uses machine learning to identify these lookalike domains, and automatically alerts you if one of your users visits a suspicious, lookalike website. This also enables InsightIDR to detect phishing outside the scope of corporate e-mail, including social media (e.g. Facebook, Twitter), and chat programs (e.g. Skype, Slack).

In addition to the spear phish detection, InsightIDR detects phishing emails through:

  • Threat intelligence: InsightIDR screens emails for phishing links identified by open source and commercial threat intelligence feeds. Incident responders can add their own threat intelligence and share it with the InsightIDR community to help their peers detect new attacks.
  • Identifying newly created domains: Attackers often register phishing domains shortly before an attack because domains quickly become blacklisted in threat intelligence feeds. Through the Insight Platform integration with Rapid7's Project Sonar, we monitor the registration of all new domains on the Internet and alert on any network activity to newly generated domains.
  • Faster phishing attack investigation: InsightIDR accelerates incident scoping by showing every user that received the link. From the same solution, you can investigate whether intruders have successfully gained a foothold and moved laterally across your network.

All of these phishing detections are available as a standard features in your InsightIDR or InsightUBA subscription. For more on how InsightIDR helps you detect top attack vectors behind breaches earlier in the attack chain, check out our 20-minute on-demand demo video!