In this phishing attack, threat actors pose as the human resources manager at the target’s employer and send a message regarding the company’s benefits plan. The email invites the recipient to click the embedded link to view information regarding salary plans and the open vacation policy. To increase the appearance of legitimacy, the attacker incorporates the company name into the email address, subject line, and body of the email. Should the target click on the included link, they will be redirected to a portal branded with the parent company’s logo. They will also be prompted with a verification test to add an additional layer of perceived authenticity. However, the portal is actually a phishing site and any information the target provides will be stolen by the attacker.

Older, legacy email security tools struggle to accurately identify this email as an attack because it uses a spoofed email address, lacks malicious attachments, and appears to be a trusted internal communication. Modern, AI-powered email security solutions recognize that the sender is unknown to the recipient, analyze suspicious links in the message, and detect the difference between the sender name and domain to correctly flag this email as an attack.

Status Bar Dots
SCR 20240906 ocsp

Malicious email sent by attacker posing as HR manager using spoofed account

Status Bar Dots
SCR 20240906 ofpa

Phishing site branded with parent company’s logo designed to steal sensitive information

Status Bar Dots
SCR 20240906 ognn 2

Verification test added by attacker to increase perceived authenticity of the request

How Does This Attack Bypass Email Defenses?

This email attack bypasses traditional security solutions for multiple reasons, including the following:

  • Spoofed Email Address: The attacker spoofs a legitimate email address, bypassing basic email verification checks and adding perceived authenticity. This tactic leverages the trust recipients have in known domains, allowing the attack to evade detection by traditional email defenses that primarily rely on domain reputation.
  • Absence of Malicious Attachments: By not including any suspicious attachments, the email avoids detection by antivirus and anti-malware systems that are primarily focused on identifying attachment-based threats. This strategy exploits the limitations of conventional security tools that prioritize attachment scanning over content analysis.
  • Trusted Internal System Mimicry: The email is designed to mimic internal communication from HR, increasing the likelihood that employees might trust and act on the email without proper scrutiny. This tactic takes advantage of the inherent trust within internal communications, which traditional security measures might not scrutinize closely.

How Did Abnormal Detect This Attack?

This attack was detected using AI and ML by analyzing various factors, including the following:

  • Unknown Sender Consideration: Abnormal's platform identifies the email as originating from an unknown sender who has no prior communication history with the recipient. By maintaining a comprehensive communication history, Abnormal quickly flags deviations from established patterns of sender-recipient interactions, helping to identify potential threats early on.
  • Suspicious Link Analysis: Abnormal’s systems analyze the presence of links that lead to unusual or suspicious domains. This triggers a deeper investigation, utilizing Abnormal’s advanced algorithms to assess the risk and potential malicious intent behind the links, which traditional defenses might overlook.
  • Sender Name and Domain Mismatch: Abnormal’s systems detect a mismatch between the sender name and the sender domain, raising suspicion. This anomaly is flagged by Abnormal’s advanced analysis, prompting further investigation into the legitimacy of the communication.

By recognizing established normal behavior and detecting these abnormal indicators, a modern email security solution has the ability to prevent this attack from reaching inboxes.

Please note the exact detection mechanism from Abnormal Security's system might include proprietary techniques and methodologies not disclosed here.

Analysis Overview

Vector

Link-based

Goal

Credential Theft

Tactic

Spoofed Display Name
Masked Phishing Link
Branded Phishing Page

Theme

Employee Incentive
Employee Benefits
Human Resources Announcement

Impersonated Party

Internal System

See How Abnormal Stops Emerging Attacks

See a Demo