This credential phishing attack impersonates the targeted company’s Microsoft-hosted voice messaging service. The attacker spoofs a legitimate domain, “pleion-it[.]com,” and uses a sender display name of “Microsoft SharePoint” to appear more legitimate. The email states the recipient has a new voicemail and provides a link purportedly to where the target can listen to the message. If the target clicks on the embedded Play Audio Message button, they are directed to a page where they are prompted to enter their login credentials, ostensibly to access the voicemail. However, since this landing page is illegitimate, the target’s login details or any other sensitive information is at risk of being stolen if entered on the page. 

Older, legacy email security tools struggle to properly identify this email as an attack because it uses a legitimate-looking sender address, contains no attachments, and comes from an unknown domain. Modern, AI-powered email security solutions analyze the links, content, and unknown sender status to flag this email as an attack correctly. 

Status Bar Dots
Feb14 Screenshot 1
Status Bar Dots
Feb14 Screenshot 2

How Does This Attack Bypass Email Defenses?

This email attack bypasses traditional security solutions for multiple reasons, including the following:

  • Legitimate-Looking Sender Address: The email is spoofed, but it appears to come from a legitimate IT company address, “pleion-it[.]com.” This can trick legacy security tools that primarily rely on blocklists of known malicious email addresses.
  • No Attachments: The email does not contain any attachments, often a focus of legacy security tools that scan for malicious files. Instead, the attack is carried out through a link in the email body, which these tools can overlook.
  • Unknown Domain: The email comes from a domain that the recipient has never received messages from in the past. Legacy security tools often rely on reputation-based systems, which can fail to flag emails from new or rare domains as suspicious.

How Did Abnormal Detect This Attack?

This attack was detected using AI and ML by analyzing various factors, including the following:

  • Link Analysis: Abnormal analyzes the links in an email to determine if they lead to malicious websites. In this case, the Play Audio Message link in the email body was likely flagged as suspicious.
  • Content Analysis: Abnormal analyzes the content of the email, including the text and any attachments. In this case, the email is impersonating a voice messaging service, a common phishing tactic.
  • Unknown Sender Analysis: Abnormal analyzes the behavior of the sender and the recipient. In this case, the sender's domain and email are unknown to the recipient, which is a strong sign of a phishing attack.

By recognizing established normal behavior and detecting these abnormal indicators, a modern email security solution has the ability to prevent this attack from reaching inboxes.

Please note the exact detection mechanism from Abnormal Security's system might include proprietary techniques and methodologies not disclosed here.

Analysis Overview

Vector

Link-based

Goal

Credential Theft

Tactic

Personalized Email Subject
Spoofed Display Name
Masked Phishing Link

Theme

Fake Voicemail

Impersonated Party

Brand

Impersonated Brands

Microsoft

See How Abnormal Stops Emerging Attacks

See a Demo