In this phishing attack, cybercriminals use a compromised email address to impersonate an external vendor and send the target a fraudulent shared file notification. The email claims that the sender has shared a document with the recipient and includes a link purportedly to review the file. Should the recipient click on the button in the message, they will be redirected to a page hosted on a legitimate file-sharing site. However, on this page, the attacker has embedded another link—this time to a malicious website designed to steal sensitive information. By leveraging the context of document sharing—a routine and trusted activity in business operations—the attacker hopes to compel the recipient to click the link without scrutinizing the email's authenticity, potentially compromising their security.

Older, legacy email security tools struggle to accurately identify this email as an attack because it originates from a legitimate email address that is compromised, uses a layered phishing technique to avoid detection, and does not contain malicious attachments. Modern, AI-powered email security solutions analyze suspicious links, flag the unusual content in the message, and detect the atypical behavior of the sender including themselves as a recipient of the email to correctly identify this as an attack.

Status Bar Dots
SCR 20240912 kmgf

Phishing attack disguised as a document sharing notification.

How Does This Attack Bypass Email Defenses?

This email attack bypasses traditional security solutions for multiple reasons, including the following:

  • Compromised Email Address: The attacker uses a legitimate email address from a compromised account, bypassing basic email verification checks and adding perceived authenticity.
  • Layered Phishing Technique: The initial link directs recipients to a legitimate file-sharing webpage which can pass through link verification checks and avoids immediate suspicion.
  • Absence of Malicious Attachments: By not including suspicious attachments, the email avoids detection by antivirus and anti-malware systems focused on attachment-based threats.

How Did Abnormal Detect This Attack?

This attack was detected using AI and ML by analyzing various factors, including the following:

  • Suspicious Link Analysis: Although the initial link directs to a legitimate file-sharing page, the presence of a potentially malicious link on the shared page triggers deeper analysis for possible malicious intent.
  • Content Analysis: Abnormal's content analysis algorithms flag the urgent message in the email about reviewing a shared document as a common phishing tactic.
  • Self-Addressed Email: The email was also sent to the sender's own email address and bcc'd or cc'd potential victims, an unusual pattern further raising suspicion during Abnormal’s analysis.

By recognizing established normal behavior and detecting these abnormal indicators, a modern email security solution has the ability to prevent this attack from reaching inboxes.

Please note the exact detection mechanism from Abnormal Security's system might include proprietary techniques and methodologies not disclosed here.

Analysis Overview

Vector

Link-based

Goal

Credential Theft

Tactic

External Compromised Account
Masked Phishing Link

Theme

Fake Document

Impersonated Party

External Party - Vendor/Supplier

See How Abnormal Stops Emerging Attacks

See a Demo