In this phishing attack, cybercriminals use a spoofed email address to impersonate the internal fax system of a manufacturer specializing in industrial fabrics. The attacker sets the display name to incorporate the targeted company’s name followed by “Fax_Service” to increase the appearance of legitimacy. The message is formatted to appear as a notification of incoming fax and includes a button labeled “View FAX.” Should the recipient click on the button, they will be redirected to a site designed to mimic a Microsoft Outlook login portal. However, the destination is a phishing page, and the attacker will steal any information the target enters.

Older, legacy email security tools struggle to accurately identify this email as an attack because it uses a spoofed email address, employs sophisticated social engineering tactics, and lacks malicious attachments. Modern, AI-powered email security solutions recognize that the sender is unknown to the recipient, detect suspicious links in the message, and use advanced content analysis to flag this email as an attack correctly.

Status Bar Dots
SCR 20240911 nccq 2

Phishing email attempting to fool users into clicking a malicious link disguised as an incoming fax

Status Bar Dots
SCR 20240830 kyye

Malicious portal uses Microsoft’s branding to gain the confidence of potential targets

How Does This Attack Bypass Email Defenses?

This email attack bypasses traditional security solutions for multiple reasons, including the following:

  • Spoofed Email Address: The attacker spoofs a legitimate email address, bypassing basic email verification checks and adding perceived authenticity.
  • Social Engineering Tactic: The email claims that a fax document needs to be reviewed immediately, creating a sense of urgency and prompting immediate action.
  • Absence of Malicious Attachments: By not including suspicious attachments, the email avoids detection by antivirus and anti-malware systems focused on attachment-based threats.

How Did Abnormal Detect This Attack?

This attack was detected using AI and ML by analyzing various factors, including the following:

  • Unknown Sender Consideration: Abnormal’s platform maintains a communication history and quickly flags deviations from established patterns of sender-recipient interactions.
  • Suspicious Link Analysis: Abnormal's systems scrutinize the presence of a link leading to a suspicious domain, triggering deeper analysis for possible malicious intent.
  • Content Analysis: Abnormal's advanced algorithms flag the urgent message in the email about a received fax document as a common phishing tactic.

By recognizing established normal behavior and detecting these abnormal indicators, a modern email security solution has the ability to prevent this attack from reaching inboxes.

Please note the exact detection mechanism from Abnormal Security's system might include proprietary techniques and methodologies not disclosed here.

Analysis Overview

Vector

Link-based

Goal

Credential Theft

Tactic

Spoofed Email Address
Spoofed Display Name
Masked Phishing Link

Theme

Fake Document

Impersonated Party

Internal System

See How Abnormal Stops Emerging Attacks

See a Demo