In this financial services scam, the threat actor abuses a compromised personal email account and exploits social engineering tactics to launch the first step of a multi-stage attack. The email originates from a real att[.]net account, which immediately makes the attack difficult to detect since many of the hallmarks of more traditional spam and cyberattacks are not present when the email is sent from a legitimate domain. The message contains no links or attachments and asks a single question related to shopping habits. The goal of this initial email is simply to build trust with the target and make them believe it's a legitimate communication from a known sender. If the recipient engages, the next stage of the attack begins, in which the threat actor can compel the target to reveal sensitive information or fulfill fraudulent financial requests, such as sending gift cards.

Older, legacy email security tools struggle to accurately detect this email as an attack because it contains mismatched “Reply-to” and “From” addresses, comes from an unknown sender, and uses social engineering tactics. Modern, AI-powered email security tools flag the mismatched “Reply-to” and “From” addresses, detect the unknown sender, and analyze the email content for social engineering techniques to correctly mark this email as an attack.

Status Bar Dots
AL Compromised Personal Webmail Email

How Does This Attack Bypass Email Defenses?

This email attack bypasses traditional security solutions for multiple reasons, including the following:

  • Mismatched "From" and "Reply-To" Emails: The "From" email and the "Reply-To" email are different, a common tactic used by attackers to hide their true identity. Legacy systems may not check for this discrepancy.
  • Unknown Sender: The email originated from an unknown email address that the recipient's company has never interacted with before. Modern security systems can track and analyze the behavior of incoming emails over time, flagging emails from unknown or rarely contacted addresses. Legacy systems often lack this capability.
  • Social Engineering Tactics: The attacker uses social engineering tactics, posing as a familiar contact and asking a seemingly innocent question. Legacy systems are typically not equipped to detect such subtle tactics.

How Did Abnormal Detect This Attack?

This attack was detected using AI and ML by analyzing various factors, including the following:

  • Mismatched “From” and “Reply-To” Emails: Abnormal checks for discrepancies between the “From” email and the “Reply-To” email. In this case, the two were different, a common tactic used by attackers to hide their true identity.
  • Unknown Sender Analysis: Abnormal tracks and analyzes the behavior of incoming emails over time. The email in question originated from an unknown email address that the recipient's company has never interacted with before, which is suspicious.
  • Social Engineering Detection: Abnormal uses AI to detect subtle social engineering tactics. In this case, the attacker was posing as a familiar contact and asking a seemingly innocent question, a tactic that Abnormal was able to identify as potentially malicious.

By recognizing established normal behavior and detecting these abnormal indicators, a modern email security solution has the ability to prevent this attack from reaching inboxes.

Please note the exact detection mechanism from Abnormal Security's system might include proprietary techniques and methodologies not disclosed here.

Analysis Overview

Type

Financial Services Scam

Vector

Text-based

Goal

Gift Card Request

Tactic

Free Webmail Account
Spoofed Email Address

Theme

Financial Services

Impersonated Party

External Party - Other

See How Abnormal Stops Emerging Attacks

See a Demo