Attacker Impersonates Australia Post Using Spoofed Address and Sends Bogus Delivery Alert to Attempt Credential Theft
In this phishing attack, threat actors impersonate Australia Post and send the target an email regarding a pending shipment. Using a spoofed email address that closely resembles a legitimate address from the shipping provider, the attacker sends a message claiming the recipient must pay a fee to initiate the delivery process. To further increase the appearance of legitimacy, the threat actor sets the display name as “Auspost” and incorporates impersonated Australia Post branding into the email body. The recipient is instructed to use the provided link to submit payment for the fee. However, should they click the link, they will be redirected to a phishing page designed to steal sensitive information, such as login credentials or payment details.
Older, legacy email security tools struggle to accurately identify this email as an attack because it originates from a spoofed address that has no prior correspondence with the recipient and contains no suspicious attachments. However, modern AI-powered email security solutions detect links to suspicious domains, flag that the sender domain does not match any domains in the message, and detect common language utilized in financial theft to correctly identify the email as an attack.
To avoid falling victim to these scams, users should verify delivery notifications directly through Australia Post’s official website or app instead of clicking links in unsolicited emails. Organizations can further mitigate risks by educating employees on common phishing tactics and deploying advanced email security systems to protect against these increasingly sophisticated attacks.
Malicious email in which attackers pose as Australia Post to steal sensitive information
How Does This Attack Bypass Email Defenses?
This email attack bypasses traditional security solutions for multiple reasons, including the following:
- Spoofed Email Address: The attacker spoofs a legitimate-sounding email address, bypassing basic email verification checks and adding perceived authenticity.
- Lack of Attachments: By not including any attachments, the email avoids detection by antivirus and anti-malware systems focused on attachment-based threats.
- Unknown Sender: The email comes from a sender the recipient's email system has not interacted with before. Legacy security tools often struggle to assess the risk of new senders accurately.
How Did Abnormal Detect This Attack?
This attack was detected using AI and ML by analyzing various factors, including the following:
- Suspicious Link Analysis: Abnormal's systems scrutinize the presence of links leading to suspicious domains, triggering deeper analysis for possible malicious intent.
- Unusual Sending Behavior: The sender domain does not match any of the domains found in the body links, raising suspicion.
- Financial Theft Language: The email contains language that may be attempting to steal money from the recipient, a common tactic identified by Abnormal’s content analysis and NLP algorithms to detect potential financial fraud.
By recognizing established normal behavior and detecting these abnormal indicators, a modern email security solution has the ability to prevent this attack from reaching inboxes.
Please note the exact detection mechanism from Abnormal Security's system might include proprietary techniques and methodologies not disclosed here.