Attacker Impersonates HR and Sends Bogus Employee Assessment Notification in Phishing Attempt
In this phishing attack, the threat actor uses a spoofed email address to send a message to the controller of an Australia-based freight service provider. The attacker sets the display name to “Human Resources” to increase the appearance of credibility and includes “HIGH IMPORTANCE” and “Urgent Action Needed” in the subject line to manufacture a sense of urgency—a common tactic used by bad actors to prompt quick, unthinking action from the recipient. The message begins by praising the workforce for their dedication and hard work and then informs the target that their employee evaluation and assessment are available for review via the provided link. However, if the recipient clicks on the link, they will be taken to a malicious page designed to either harvest credentials or install malware on the target’s computer.
Older, legacy email security tools struggle to properly identify this email as an attack because it is sent using a spoofed address, contains no malicious attachments, and leverages social engineering. Modern, AI-powered email security solutions detect the spoofed address and the unknown sender as well as analyze the links to correctly mark this email as an attack.
How Does This Attack Bypass Email Defenses?
This email attack bypasses traditional security solutions for multiple reasons, including the following:
- Email Spoofing: The attacker has spoofed the email address to make it appear as if it is coming from a legitimate source. Legacy security tools might not have sophisticated mechanisms to verify the authenticity of the sender's domain beyond basic checks, allowing spoofed emails to slip through.
- Lack of Malicious Attachments: The attack does not rely on attachments, which are commonly scanned for malware by legacy security tools. Instead, it uses malicious links, which might not be scrutinized as thoroughly.
- Social Engineering Tactics: The email employs social engineering tactics, such as urgency and flattery, to trick the recipient into taking action. Legacy tools might not be equipped to analyze the content of the email for such subtle cues.
How Did Abnormal Detect This Attack?
This attack was detected using AI and ML by analyzing various factors, including the following:
- Advanced Email Spoofing Detection: Abnormal can detect subtle signs of email spoofing, including discrepancies between the sender's display name and email address, and inconsistencies in the email's header information.
- Unknown Sender Email: Abnormal flags that the email address used to send this attack is an unknown email address to which the company has never sent messages in the past. This is a strong sign that the message may not be from a safe source.
- Link Analysis: Abnormal’s advanced link analysis can scrutinize the context and destination of links in emails, identifying malicious intent even when the domain itself is not inherently suspicious.
By recognizing established normal behavior and detecting these abnormal indicators, a modern email security solution has the ability to prevent this attack from reaching inboxes.
Please note the exact detection mechanism from Abnormal Security's system might include proprietary techniques and methodologies not disclosed here.