In this credential phishing attack, the threat actor compromises an employee account from the domain “doh.nj[.]gov” and sends an email with an embedded image designed to appear as an eFax notification for a document sent from “ACCOUNT PAYABLE.” However, the image is a link to a file hosted on the document-sharing service Box containing a phishing link. If the target interacts with the link, they will be taken to a credential phishing site where sensitive information is at risk. Because the attacker has compromised an employee’s legitimate account, this attack is difficult to detect without advanced tools that can scan the contents of non-executable attachments like image files and uncover potentially malicious links. 

Older, legacy email security tools have difficulty accurately detecting this email as an attack because it was sent from a legitimate email, contains no known malicious links or attachments, and was sent from a domain the company has never interacted with before. Modern AI-powered email security solutions detect the unknown sender domain and conduct link and sender analysis to flag this email as an attack correctly.

Status Bar Dots
Nov29 Screenshot

How Does This Attack Bypass Email Defenses?

This email attack bypasses traditional security solutions for multiple reasons, including the following:

  • Unknown Sender Domain: The email comes from a domain that the company has never received emails from in the past. Traditional email security tools may not have this domain on their radar, allowing the email to bypass their filters.
  • Lack of Known Malicious Links or Attachments: The email does not contain any known malicious links; the only attachment is an image file. Traditional email security tools often rely on detecting known malicious links or attachments, so an email without these elements can easily bypass these tools.
  • Compromised Email Address: The email appears to be from a legitimate source, which could bypass legacy security tools that only check for known malicious senders.

How Did Abnormal Detect This Attack?

This attack was detected using AI and ML by analyzing various factors, including the following:

  • Unknown Sender Domain: Abnormal detects that the email comes from a domain that the company has never received emails from in the past. This is a strong signal that the email might be malicious.
  • Link Analysis: Abnormal analyzes all links in emails to determine if any lead to a malicious website, even if it is not known to be malicious.
  • Sender Analysis: Abnormal analyzes the sender details and identifies that the email was sent from a compromised employee's account and was exploiting Box's legitimate platform—a common tactic used in phishing attacks.

By recognizing established normal behavior and detecting these abnormal indicators, a modern email security solution has the ability to prevent this attack from reaching inboxes.

Please note the exact detection mechanism from Abnormal Security's system might include proprietary techniques and methodologies not disclosed here.

Analysis Overview

Vector

Link-based

Goal

Credential Theft

Tactic

External Compromised Account
Masked Phishing Link

Theme

Fake Document

Impersonated Party

Government Agency

Impersonated Brands

New Jersey Department of Health

See How Abnormal Stops Emerging Attacks

See a Demo