Attacker Exploits Trusted Brands and Impersonates Financial Services Provider to Attempt Credential Phishing
In this multi-layered attack, threat actors impersonate a legitimate company, E-Capital LLC, and utilize several different tactics to attempt credential theft. First, they spoof a domain for the sender email, “interus[.]com”—a domain name that is just nondescript enough that a target could easily overlook it. Next, they claim a document is being sent via OneDrive, a well-known Microsoft-owned filesharing platform. Additionally, by describing the file as a receipt for a paid invoice, the attackers hope the target will quickly click the button to view the document since the recipient likely isn’t expecting to receive confirmation of a recent payment.
The threat actors also use a URL shortener that allows for custom links (unlike other URL shorteners which use a randomly generated string of numbers and letters), enabling the attackers to customize the URL to “cli[.]co/AdobeShareFile.” To an eagle-eyed target, this brand mismatch is a red flag, but to many recipients, the incorporation of these trusted brand names only increases the appearance of legitimacy. If the target clicks on the link, they are taken to a phishing page designed to appear as an Adobe filesharing landing page where sensitive information is at risk.
Older, legacy security tools have difficulty properly identifying this email as an attack because it utilizes social engineering, contains no attachments, and is sent from a spoofed domain. Modern AI-powered security solutions analyze the sender, content, and links in the email to accurately flag this email as an attack.
The View Document button led to a phishing page.
How Does This Attack Bypass Email Defenses?
This email attack bypasses traditional security solutions for multiple reasons, including the following:
- Social Engineering: This email utilizes social engineering to compel the target to take action instead of exploiting technical vulnerabilities. These techniques can be difficult for legacy security tools to detect.
- Lack of Attachments: The email does not contain any attachments. Legacy systems often focus on scanning attachments for viruses or malware, so an email without attachments might not be flagged as suspicious.
- Spoofed Sender Identity: The email appears to be from “E-Capital LLC”, a seemingly legitimate entity, which could trick legacy systems into thinking it's a safe email.
How Did Abnormal Detect This Attack?
This attack was detected using AI and ML by analyzing various factors, including the following:
- Unusual Sender Domain: Abnormal compares the domains of links contained in the email with the sender domain. Because the included link was not hosted on the same domain as the sender's address, Abnormal flagged this as suspicious.
- Link Analysis: The attacker attempted to obscure the destination of the phishing link with a URL shortener, but Abnormal is still able to analyze the link and determine that it leads to a malicious website where sensitive data is at risk.
- Content Analysis: Abnormal scans emails for content related to financial topics, including invoices and bank information. Because the sender is unknown to this recipient and the email content is financial in nature, Abnormal flags this as suspicious.
By recognizing established normal behavior and detecting these abnormal indicators, a modern email security solution has the ability to prevent this attack from reaching inboxes.
Please note the exact detection mechanism from Abnormal Security's system might include proprietary techniques and methodologies not disclosed here.