Adaptive Phishing Attack Uses Whimsical and Lucid to Deliver Office 365 Credential Phish
Attack Overview
Step 1: Email
A compromised vendor account sends an email sharing a Whimsical document. The email appears secure and contains a link to view a document supposedly containing confidential information.
- Sent from a legitimate, compromised vendor domain.
- Initial link points to a Whimsical document with a phishing link.
- Spoofs a standard business document-sharing workflow.
Step 2: Phishing Link and Platform Pivot
When the recipient cannot access the original link, the attacker adapts by sending a new phishing link using a Lucid document, appearing even more legitimate to the recipient.
- Attacker switches from Whimsical to Lucid.
- Lucid-hosted link includes the same credential phishing payload.
- Increased legitimacy through use of trusted design platforms.
Step 3: Account Takeover via VPN Access
Once the victim enters their credentials, the attacker logs in via a VPN to avoid detection based on geolocation. The compromised account is then used for business email compromise (BEC) activities.
- Stolen credentials used for login from unrecognized VPN.
- Attacker behavior includes suspicious sign-in patterns.
- Used for further phishing or internal compromise.
How Does This Attack Bypass Email Defenses?
This email attack bypasses traditional security solutions for several reasons, including:
- The email came from a trusted vendor domain that passed SPF, DKIM, and DMARC.
- The malicious link was hosted within trusted platforms (Whimsical and Lucid).
- Cloudflare Turnstile verification test limited link analysis by automated tools.
How Did Abnormal Detect This Attack?
This attack was detected using AI and ML by analyzing various factors, including:
- Abnormal sender behavior and message formatting.
- Unusual URLs hosted on design platforms.
- Contextual clues indicating urgency and potential financial impact.
By recognizing established normal behavior and detecting these abnormal indicators, a modern email security solution has the ability to prevent this attack from reaching inboxes.
Please note the exact detection mechanism from Abnormal Security's system might include proprietary techniques and methodologies not disclosed here.