Aegis Threat Glossary

The Hook: A "secure" or "private" document containing sensitive financial or legal info.

Modus Operandi: The attacker attaches a password-protected PDF or ZIP file and provides the password in the email body. The malicious link or malware is inside the encrypted file.

Evasion Mechanisms (Why SEGs Miss It):

Encryption Blinding: The file is encrypted. The SEG (Security Email Gateway) cannot "detonate" or inspect the file contents because it doesn't have the password, so it defaults to letting the file through to avoid business disruption.

Indicators of Compromise:

Body Text: "Password: [12345]" or "Pin: 9922".
Filename: Bid Invitation.zip or Payment Remittance.pdf.

Real World Lure: "Bid Invitation," "Payment Remittance," or "Project Draft".

Targeted Role: Contract Managers, Finance.

Potential Impact: Account Takeover.

Damage: from $Ks - to $Ms + Data loss and fines.

Drive-by Malware ("Health" Updates)

The Hook: A critical "Health" or "Security" update for the user's computer.

Modus Operandi: A lure about "Health related updates" that, upon navigation to the link, automatically drops a malware file (drive-by download).

Evasion Mechanisms (Why SEGs Miss It):

Zero-Click/Low-Interaction: Does not necessarily require the user to enter credentials, just to visit the link. Bypasses credential-harvesting detectors.

Indicators of Compromise:

Subject: System patch notes or "Health Update."

Real World Lure: "Health related updates".

Targeted Role: General Employees.

Potential Impact: Malware Infection.

Damage: from $Ks - to $Ms + Data loss, fines and recovery.

Legal Intimidation (The "Big Law" Lure)

The Hook: An urgent threat of lawsuit, copyright infringement, or debt collection.

Modus Operandi: Impersonation of high-profile law firms. The email demands immediate review of a "Takedown Notice" or "Collection Letter" to avoid court.

Evasion Mechanisms (Why SEGs Miss It):

Urgency & Authority: The content is designed to trigger a panic response (Urgency Analysis), causing the user to bypass their own internal "human firewall" and click without thinking.

Indicators of Compromise:

Sender: "Billing Department" or "Legal Compliance."
Address: 1337 N. Deadwood Street, Suite 8593, Dallas, TX (Real address used for credibility).
Lure: "IP protection and filing services" or "Governance compliance."

Real World Lure: "Copyright Infringement Notice," "Collection Letter," or "Billing Department".

Targeted Role: Legal, Executives

Potential Impact: Account Takeover + Financial Loss.

Damage: from $Ks - to $Ms + Data loss and fines.

Nested Cloud Spoofing (Two-Step Google/SharePoint Phishing)

The Hook: A notification sharing a legitimate Google Drive or SharePoint document.

Modus Operandi:

The user receives a link to a real Google Doc or Drive file (hosted on drive.google.com).
The content of that real document contains the malicious link to the phishing site.

Evasion Mechanisms (Why SEGs Miss It):

Reputation Hijacking: The initial URL is a high-reputation domain (Google/Microsoft). Security scanners allow the email because the link itself is benign. They often fail to scan the content of the linked file (secondary payload).

Indicators of Compromise:

Lure: "Shared Google document" or "Fake Docusigns".
Behavior: The link opens a document that simply says "Click here to view" or "Download."

Real World Lure: "Shared Google document" containing secondary phishing links.

Targeted Role: All Employees (specifically those using Google Workspace).

Potential Impact: Account Takeover.

Damage: from $Ks - to $Ms + Data loss and fines.

Phantom Thread (Advanced Vendor Impersonation)

The Hook: A fake "reply" chain simulating a conversation between a vendor and your internal executives.

Modus Operandi: The attacker sends an invoice but attaches a fake forwarded email history. This history shows a conversation where an internal executive (e.g., CEO) supposedly approved the invoice and instructed the vendor to "send it to AP."

Evasion Mechanisms (Why SEGs Miss It):

Contextual Legitimacy: SEGs often look for "cold" outreach. The fake thread makes the email appear to be a solicited "Reply" (RE: subject line), bypassing standard relationship filters.

Fuzzing Variants: Automated tools rotate sender domains and body text slightly to avoid signature-based detection.

Indicators of Compromise:

Subject Line: RE: PRESTIGE WORLDWIDE INC. Past Due Statement
Sender: John Smith <john@prestigeworldwide-us.org> (Look for slight domain misspellings).
Content: "Forwarded correspondence" timestamped at odd hours (e.g., 03:23 A.M.).

Real World Lure: "RE: PRESTIGE WORLDWIDE INC. Past Due Statement" or "Forwarded correspondence".

Targeted Role: Finance, Accounts Payable (ap@...).

Potential Impact: Financial Loss + Data Extortion.

Damage: from $Ks - to $Ms.

Quishing (QR Code Perimeter Bypass)

The Hook: A "time-sensitive" HR or Benefit notice that requires mobile access.

Modus Operandi: The email contains minimal text and a large image/QR code. Scanning the code moves the user from their secured corporate laptop (protected by EDR/SEG) to their personal mobile device (unprotected).

Evasion Mechanisms (Why SEGs Miss It):

Device Switching: The attack physically moves the session off the corporate network, rendering endpoint protection useless.
OCR Failure: Many SEGs struggle to parse or "read" QR codes embedded in images quickly enough to block the email.

Indicators of Compromise:

Lure: "End of Year Bonus," "Holiday Pay Access," or "HR Document."
Visual: Large QR code with instructions: "Scan with your phone camera."

Real World Lure: "End of Year Bonus & Holiday Pay Access Notice" or "HR Document".

Targeted Role: HR / General Staff.

Potential Impact: Account Takeover.

Damage: from $Ks - to $Ms + Data loss and fines.

Secure Mail Portal Impersonation

The Hook: A notification that you have a "Secure Message" waiting from a known vendor.

Modus Operandi: The email mimics a "Secure Message Center" (like Cisco or Mimecast). Clicking "Read Message" takes the user to a fake portal login page to harvest credentials.

Evasion Mechanisms (Why SEGs Miss It):

Trusted Infrastructure: Attackers often use compromised accounts from real vendors or spoof trusted domains (novus-global.ws) to send these, giving the email a high "Sender Reputation Score."

Indicators of Compromise:

Sender: Nathan Smith <nathan.smith@novus-global.ws>
Call to Action: "View Secure Message" or "Read Message."

Real World Lure: "Secure Message" from "Novus Global" or similar vendors.

Targeted Role: Executives, Sales.

Potential Impact: Account Takeover.

Damage: from $Ks - to $Ms.

System Utility Panic (Account Capacity Spoofing)

The Hook: A functional alert about your work tools stopping (e.g., "Email storage full").

Modus Operandi: Mimics system-generated alerts from Google Workspace or Microsoft 365. It claims "1.09 GB left" or "Password Expired" to force a login on a harvesting site.

Evasion Mechanisms (Why SEGs Miss It):

Utility Camouflage: These emails look like "noise"—standard operational emails that SEGs are trained to deliver.

Indicators of Compromise:

Subject: Google Capacity Usage: Alert 1.09 GB left or Password Expired.
Visual: Progress bars showing red/full storage.

Real World Lure: "Password Expiration Notice" or "Google Capacity Usage".

Targeted Role: All Employees.

Potential Impact: Account Takeover.

Damage: from $Ks - to $Ms + Data loss and fines.