It might arrive from a sound-alike account name from a popular public email server (Hotmail, Gmail, and so on), with the sender claiming to be using this previously unknown account because they are locked out of their work email. Again, who hasn’t been through this before?
But more likely than not, the fake phishing email appears to arrive from the other person’s real work email address, either because the phishing organization is able to send fake email origination addresses from the outside, or it has successfully compromised the other person’s email account. The latter is becoming the most popular attack method -- who wouldn’t click on a link sent by their boss?
That attack includes a project you are working on
Many spearphishing victims fall prey to the fact that the malicious sender seems to know what projects they are working on. This is because spearphishers have spent time researching them or have been in control of a colleague’s email account for a while. The email may include a subject line like “Here is that report on XYZ you’ve been waiting on,” or “Here are my edits to the report you sent,” with an attached copy of a report originally sent by the receiver, but with an updated autolaunch malicious link. It might also allude to a project’s viability, asking, “Do you think this will impact our project?” or exclaiming “Someone beat us to it!” with a link to a malicious news article that appears related to the project.
I’ve seen emails purporting to be from lawyers seeking increases in child support to individuals going through a divorce. I’ve seen phishing emails from leaders of professional organizations sent out to their membership lists. I’ve seen emails to C-level officers claiming to have pending lawsuit information, which ask the receiver to run the executable to “unlock” the attached confidential PDF file. I’ve seen bogus updates sent to IT security pros purporting to contain a security update from a vendor, about a product they recently bought and installed.
The email subjects and body contents aren’t “Look at this!” generic ruses. Nope, today’s spearphishing email comes from someone you trust on a project you are working on. After you read a few of these you start wishing all we had to worry about was fake dying relatives and Viagra ads.
Your attacker has been monitoring your company’s email
These days corporate attackers are monitoring dozens of email accounts in your company. It’s where they get the necessary context to fool your co-workers and where they can monitor the most sensitive and valuable information in your company.
If you find out your company is compromised, assume that all C-level employees and VIP email accounts are compromised and have been for a long time. Even the initial reporting of the bad guy’s possible detection is probably in front of their eyes. They know what you know.