What is Multi-Persona Impersonation?
Multi-Personal Impersonation (MPI) is a new email phishing technique that can make detection even more difficult for email users. The MPI technique uses the psychology principle of “social proof” to increase the perception of authenticity of emails, increasing the likelihood that unsuspecting recipients will click on them.1 The principle of social proof describes the tendency for people to copy the actions of others in a given situation.2 Cyberattackers engaged in an MPI attack use the principle of social proof by including other personas in the email, making the email appear more complex and legitimate. The following are examples of recent MPI campaigns:
- A sender was masquerading as the Director of Research at one organization and CC’d a director of another organization in an email sent to the target recipient.
- Scientists were sent an email where the CC’d persona replied with a OneDrive link downloading a DOCX document loaded with malicious macros.
- Two academics specialists were sent an email where three personas were CC’d.
Features of MPI attacks may include:
- Personal email addresses (Outlook, AOL, Gmail, and Hotmail)
- CC’d personas from impersonated organizations
- OneDrive links containing malicious docs that are password-protected files, used to perform template injection with macros
- Macros may collect information such as username, list of running processes, and the user’s public IP; macros exfiltrate this information using the Telegram API
In order to protect from phishing attacks such as MPI:
- Use security software
- Setting up automatic updates on mobile devices
- Back up data
- Be careful about the information that you share online and on social media
- Do not click on an email request to verify account information
- Carefully examine email addresses and URLs
- Never open an email attachment from someone that you don’t know, or attachments that you were not expecting, and be wary of forwarded attachments
- Set up two-factor or multi-factor authentication
- Verify a website’s security
- Keep browsers up to date
- Use firewalls
- Install anti-phishing toolbar
- Ensure that requests for payment are legitimate by contacting the individual personally
- Verify any changes in account numbers or payment procedures
- Any request for you to act quickly should be regarded with suspicion
1 Miller, Eaton, Rausch, 2022, “Look What You Made Me Do: TA453 Uses Multi-Persona Impersonation to Capitalize on FOMO”
2 Frye, 2020, “Why We’re All Followers”