Attacker Impersonates Internal University IT Department to Send Malware Using Fake Voice Message Notification
In this malware attack, cybercriminals impersonate a university’s internal notification system and email the target a fake voicemail alert. Sent from an iCloud address with a display name that features a common abbreviation for the university, the message uses minimal text and only contains details about an incoming voice message. The email includes an HTM attachment, which is purportedly a recording of the voicemail. However, the attachment is like malware and, when opened, may deploy malicious software onto the recipient’s device that could potentially give the attacker access to sensitive information or allow them to further compromise the system. By mimicking the style and tone of internal IT notifications, the attacker hopes to manipulate the recipient into believing that the email is authentic and opening the attachment without considering its risk.
Older, legacy email security tools struggle to accurately identify this email as an attack because it is sent from a reputable email provider, the email originates from a domain that adds perceived legitimacy, and lacks malicious links. Modern, AI-powered email security solutions flag that the sender is unknown to the recipient, detect the unusual sending domain, and flag the potential malicious nature of the attachment to correctly identify the email as an attack.
Malicious email disguised as an automated voicemail alert to deliver malware
How Does This Attack Bypass Email Defenses?
This email attack bypasses traditional security solutions for multiple reasons, including the following:
- Reputable Email Provider: The attacker uses an iCloud email address, a well-known and reputable email provider, making it less likely to be blacklisted or flagged by basic email filters.
- Absence of Malicious Links: By including an HTM attachment instead of suspicious links, the email avoids detection by antivirus and anti-malware systems focused on URL scrutiny.
- Unknown Sender: The email comes from a sender the recipient's email system has not interacted with before. Legacy security tools often struggle to assess the risk of new senders accurately.
How Did Abnormal Detect This Attack?
This attack was detected using AI and ML by analyzing various factors, including the following:
- Sender Name and Domain Mismatch: The sender name does not match the sender domain, raising further suspicion during Abnormal’s analysis.
- Unusual Sending Domain: The sender domain “icloud[.]com” does not align with trusted internal IT department communication channels, raising further suspicion.
- Attachment Analysis: The suspicious nature of the HTM attachment prompts Abnormal’s automated systems to flag the email for potential malicious content.
By recognizing established normal behavior and detecting these abnormal indicators, a modern email security solution has the ability to prevent this attack from reaching inboxes.
Please note the exact detection mechanism from Abnormal Security's system might include proprietary techniques and methodologies not disclosed here.