Attacker Impersonates Chicago Title Insurance Company Using Compromised Email to Steal Sensitive Information
In this credential phishing attack, the threat actor impersonates Chicago Title Insurance Company, a residential real estate services provider, and sends the target a fraudulent file-sharing notification. The email was sent from a compromised address belonging to an employee at a custom homes builder and claimed to be an invitation to view important real estate transaction documents via a secure portal. To increase the appearance of legitimacy, the attacker uses professional language, legitimate-looking details, and the real estate services company’s actual logo. The email includes a link "https://sourcefileupload[.]online" that purportedly directs the recipient to access these documents but instead leads to a phishing site designed to harvest sensitive information. The phishing site is also designed to mimic the real estate services company’s actual website and prompts the target to enter their Microsoft account credentials to view the shared documents. Should they provide this information, it will be stolen by the attacker and used to launch additional attacks.
Older, legacy email security tools struggle to accurately identify this email as an attack because it originates from a compromised email address, employs sophisticated social engineering techniques, and lacks malicious attachments. Modern, AI-powered email security solutions recognize that the sender is unknown to the recipient, detect suspicious links in the message, and conduct advanced content analysis to correctly flag this email as an attack.
Malicious message sent from a compromised email account
Phishing site impersonating secure message center
Phishing page mimicking the sign-in for Microsoft 365
How Does This Attack Bypass Email Defenses?
This email attack bypasses traditional security solutions for multiple reasons, including the following:
- Compromised Email Address: The attacker uses a legitimate email address from a compromised account, bypassing basic email verification checks and adding perceived authenticity.
- Social Engineering Tactic: The claim of important real estate transaction documents creates a sense of urgency that prompts recipients to act without careful scrutiny.
- Absence of Malicious Attachments: By not including suspicious attachments, the email avoids detection by antivirus and anti-malware systems focused on attachment-based threats.
How Did Abnormal Detect This Attack?
This attack was detected using AI and ML by analyzing various factors, including the following:
- Unknown Sender Consideration: The email is recognized as coming from an unknown sender who has never communicated with the recipient. Abnormal’s platform maintains a communication history and quickly flags deviations from established patterns of sender-recipient interactions.
- Suspicious Link Analysis: The presence of a link that leads to a suspicious domain is scrutinized by Abnormal’s systems, triggering deeper analysis for possible malicious intent.
- Content Analysis: The email's message about delivering important real estate transaction documents is flagged by Abnormal’s content analysis algorithms as a common phishing tactic.
By recognizing established normal behavior and detecting these abnormal indicators, a modern email security solution has the ability to prevent this attack from reaching inboxes.
Please note the exact detection mechanism from Abnormal Security's system might include proprietary techniques and methodologies not disclosed here.