In this likely AI-generated, multi-step credential phishing attack, the threat actor impersonates Wirex, a payment solutions provider specializing in cryptocurrency. After creating the sender domain and address “contact@mailsessions[.]com”, the attacker emails the target a message designed to appear as a request to complete an account authentication process. Since the email is likely AI-generated, there are no misspellings and only minor grammar and punctuation errors. The email claims additional verification is required to continue using the services uninterrupted and includes a button labeled “Verify Access,” which purportedly links to the Wirex customer portal. However, if the target clicks on this button, they are redirected to a phishing page that is a convincing imitation of the Wirex login page. If the recipient enters their login credentials on this page, the attacker will steal them, who can then use the username and password to siphon any funds from the target’s Wirex account.

Older, legacy email security tools struggle to accurately identify this email as an attack because it lacks malicious attachments, comes from an unknown sender and utilizes social engineering techniques. Modern, AI-powered email security solutions flag the unknown sender and analyze the links and content to mark this email as an attack correctly.

Status Bar Dots
April 3rd Screenshot 1
Status Bar Dots
April 3rd Screenshot 2

The attacker creates a fake Wirex login page where any credentials entered are at risk of being stolen.

How Does This Attack Bypass Email Defenses?

This email attack bypasses traditional security solutions for multiple reasons, including the following:

  • Lack of Attachments: The email does not contain any attachments. Because legacy security tools often focus on scanning attachments for malware, an attack without a malicious payload attached could bypass these checks.
  • New and Unknown Sender Domain: The email comes from a new and unknown sender domain. Traditional security tools often rely on reputation-based systems, flagging emails from domains known to have sent malicious content in the past. A new or unknown domain wouldn't have a negative reputation, allowing the email to bypass these checks.
  • Sophisticated Social Engineering: The email's content is crafted to manipulate the target into clicking on the phishing link without questioning its legitimacy. Legacy tools may not be equipped to detect the nuanced language and psychological tactics used in such social engineering attacks.

How Did Abnormal Detect This Attack?

This attack was detected using AI and ML by analyzing various factors, including the following:

  • Unknown Sender: Abnormal flags this email as coming from an unknown domain and email address that the target has never interacted with before and uses this information to identify potential phishing attempts.
  • Link Analysis: Abnormal examines URLs embedded in emails, even if disguised as benign buttons or links. The platform assesses the reputation of the linked domain, analyzes the landing page's content, and evaluates the risk in real-time to identify phishing websites effectively.
  • Content Analysis: Abnormal analyzes the language used in the email and identifies signs of a phishing attempt, including the threat of account termination.

By recognizing established normal behavior and detecting these abnormal indicators, a modern email security solution has the ability to prevent this attack from reaching inboxes.

Please note the exact detection mechanism from Abnormal Security's system might include proprietary techniques and methodologies not disclosed here.

Analysis Overview

Vector

Link-based

Goal

Credential Theft

Tactic

Maliciously Registered Domain
Masked Phishing Link
Branded Phishing Page

Theme

Account Verification
Cryptocurrency
Financial Services

Impersonated Party

Brand

Impersonated Brands

Wirex

AI Generated

Likely

See How Abnormal Stops Emerging Attacks

See a Demo