In this sophisticated vishing attack, the threat actor impersonates Texas Attorney General Ken Paxton and emails the target regarding fraudulent activity. The email, sent from a Gmail address to avoid basic security filters, contains minimal text in the body and instead uses an official-looking PDF attachment to begin the first stage of the attack. The PDF claims the recipient's Social Security Number (SSN) has been stolen and is being used to commit crimes in Texas and New Mexico and, as a result, their SSN will be suspended within 24 hours. To increase the semblance of legitimacy, the PDF contains what appears to be an official-looking seal for the Social Security Administration, references to specific legislation being violated, and Ken Paxton’s real email signature. The target is informed their case has been referred to the Department of Justice and they must use the provided phone number to contact the Office of Inspector General to prove their innocence. However, should the target call the number, they will actually be connected to the threat actor, who will initiate the next stage of the attack, in which they will attempt to steal sensitive information and/or convince the target to download malicious software.

Older email security tools may struggle to identify this phishing attempt because it originates from a legitimate Gmail address, lacks malicious links, and does not employ the use of obviously malicious attachments. Modern, AI-powered email security solutions flag that the sender is unknown to the recipient, recognize the email’s content is indicative of phishing, and analyze the attachment’s content to correctly identify the email as an attack.

Status Bar Dots
Government Official Impersonation SSN Suspension Email E

Phishing email impersonating government official with limited body content

Status Bar Dots
Government Official Impersonation SSN Suspension PDF E

PDF attachment exploiting social engineering to trick target into calling a fraudulent number and divulge personal information

How Does This Attack Bypass Email Defenses?

This email attack bypasses traditional security solutions for multiple reasons, including the following:

  • Reputable Email Provider: The attacker uses a Gmail address, which is a known and reputable provider that will likely not be flagged by basic email filters, adding perceived authenticity.
  • Lack of Malicious Links: The absence of direct malicious links in the email body helps it avoid detection by legacy systems that typically rely on link scanning to identify phishing emails.
  • Absence of Malicious Attachments: By not including suspicious attachments and instead including a PDF, the email avoids detection by antivirus and anti-malware systems focused on attachment-based threats.

How Did Abnormal Detect This Attack?

This attack was detected using AI and ML by analyzing various factors, including the following:

  • Unknown Sender Consideration: The email is recognized as coming from an unknown sender who has never communicated with the recipient. Abnormal’s platform maintains a communication history and quickly flags deviations from established patterns of sender-recipient interactions.
  • Content Analysis: The email’s message about completing an important document is flagged by advanced content analysis algorithms as a common phishing tactic.
  • Attachment Analysis: The PDF attachment containing alarming and urgent content was scrutinized and identified as potentially malicious through Natural Language Processing (NLP) and Natural Language Understanding (NLU).

By recognizing established normal behavior and detecting these abnormal indicators, a modern email security solution has the ability to prevent this attack from reaching inboxes.

Please note the exact detection mechanism from Abnormal Security's system might include proprietary techniques and methodologies not disclosed here.

Analysis Overview

Type

Credential Vishing

Vector

Text-based

Goal

Credential Theft

Tactic

Fake Attachment
Free Webmail Account

Theme

Legal Matter
Fake Document

Impersonated Party

Government Agency

Impersonated Brands

Social Security Administration

See How Abnormal Stops Emerging Attacks

See a Demo