In this likely AI-generated phishing attack, threat actors impersonate Apple and send the target a notification regarding their Apple Pay account. To increase the appearance of authenticity, the attacker incorporates Apple Pay imagery and sets the sender display name as “Apple Inc”. They also spoof the legitimate domain “campaign.eventbrite[.]com” to improve the likelihood of the message being successfully delivered. Using the subject line "Verify activity: Apple Pay has been suspended” to grab the recipient’s attention, the attacker claims that unusual activity has been detected on the recipient's Apple Pay account. The message requests that the target use one of the provided links to verify the activity or confirm that it is fraudulent. If the recipient clicks on either of the embedded links, they will be redirected to a phishing site to steal sensitive information. By exploiting the trust in the Apple brand and manufacturing a sense of urgency related to potential unauthorized activity, the attacker hopes to manipulate the recipient into providing private information, such as login credentials.

Older, legacy email security tools struggle to accurately identify this email as an attack because it is sent from a spoofed email address, uses legitimate-looking links, and lacks malicious attachments. Modern, AI-powered email security solutions detect suspicious links in the message and recognize the inconsistency between the sender domain and display name as well as between the sender domain and the reply-to address to correctly flag this email as an attack.

Status Bar Dots
SCR 20240807 mhxa

Attacker uses spoofed email address and impersonates Apple

How Does This Attack Bypass Email Defenses?

This email attack bypasses traditional security solutions for multiple reasons, including the following:

  • Spoofed Email Address: The attacker spoofs a legitimate email address "noreply@campaign.eventbrite[.]com", bypassing basic email verification checks and adding perceived authenticity.
  • Legitimate-Looking Links: The email includes links that appear to be associated with known domains "eventbrite[.]com", which can pass link verification checks.
  • Absence of Malicious Attachments: By not including suspicious attachments, the email avoids detection by antivirus and anti-malware systems focused on attachment-based threats.

How Did Abnormal Detect This Attack?

This attack was detected using AI and ML by analyzing various factors, including the following:

  • Suspicious Link Analysis: Abnormal's systems scrutinize the presence of a link leading to a suspicious domain, triggering deeper analysis for possible malicious intent.
  • Sender Name and Domain Mismatch: The sender name (Apple Inc) does not match the domain “campaign.eventbrite[.]com”, raising further suspicion during Abnormal’s analysis.
  • Reply-to Address: The presence of a reply-to address that differs from the sender's domain is flagged during Abnormal’s analysis and triggers further scrutiny.

By recognizing established normal behavior and detecting these abnormal indicators, a modern email security solution has the ability to prevent this attack from reaching inboxes.

Please note the exact detection mechanism from Abnormal Security's system might include proprietary techniques and methodologies not disclosed here.

Analysis Overview

Vector

Link-based

Goal

Credential Theft

Tactic

Spoofed Email Address
Masked Phishing Link
Mismatched Reply-To Address

Theme

Suspicious Account Activity
Account Verification

Impersonated Party

Brand

Impersonated Brands

Apple

AI Generated

Likely

See How Abnormal Stops Emerging Attacks

See a Demo