Rather than simply disregarding the attack, WatchGuard set out to learn as much as they could by playing along with the attacker. Laliberte responded to the first email and the attacker replied, asking “the finance employee” to contact them via text to a phone number the attacker claimed was the manager’s personal line.
This email’s source address was a seemingly random seven-digit number at gmail.com. The attacker didn’t try to spoof the message to make it appear to come from a WatchGuard account. Instead, the attacker relied on the message’s “From:” header to fool the target. Most mail clients use the “From:” header to display who a message came from, and often the client only shows a sender’s first and last name. In this phishing email, the “From:” header showed the WatchGuard manager’s first and last name, which might convince uninformed employees that the message really did come from that manager.