In a recent article from KrebsOnSecurity, journalist Brian Krebs reported on how attackers are using Calendly invitations to install malware. While this particular attack was not delivered via email, using email to send malicious ICS (Internet Calendaring and Scheduling) files has been a popular attack tactic for years. In fact, we first reported on this tactic back in December 2021

More recently, attackers have started to use cryptocurrency themes to run these attacks. In this example, an email is sent to the end user stating that their Bitcoin payment has been processed and they are awaiting confirmation. No other information is available, but there is an attachment to the email. 

Status Bar Dots
AL Calendar Link Fake Cryptocurrency Malware Email

Clicking on the ICS attachment adds an invitation to their calendar, which may not appear malicious at first glance. However, when opening the invite, the user is prompted to click on two links that appear to lead to Google Docs documents. Unfortunately, those documents are actually malware that once clicked, will install and give the attacker full control of the computer.

Status Bar Dots
AL Calendar Link Fake Cryptocurrency Malware Invite

How Does This Attack Bypass Email Defenses?

This email attack bypasses traditional security solutions for multiple reasons, including the following:

  • Legitimate Domain: The attacker uses a Gmail account to send this email, which automatically passes sender authentication checks for SPF, DKIM, and DMARC.
  • Lack of Malicious Payload: Since ICS files are used regularly to schedule meetings and the payload itself is not malicious, it will not be flagged by legacy systems. 
  • Social Engineering: The email uses social engineering techniques focused on payments to trick the recipient into taking action. These techniques are often effective at bypassing legacy security tools, which are not designed to detect human-focused attacks.

How Did Abnormal Detect This Attack?

This attack was detected using AI and ML by analyzing various factors, including the following:

  • Suspicious Financial Request: The email discusses financial information, but the recipient has never corresponded with the sender, so it would be unusual for him to receive a financial request like this. 
  • Unusual Sender: The email exhibits suspicious sending behavior, as Abnormal has never seen this email address sending to anyone within the targeted organization. 
  • Uncommon Attachment: This recipient has never before received emails containing ICS extensions. Further review of the attachment shows that embedded links may contain malware.

By recognizing established normal behavior and detecting these abnormal indicators, a modern email security solution has the ability to prevent this attack from reaching inboxes.

Please note the exact detection mechanism from Abnormal Security's system might include proprietary techniques and methodologies not disclosed here.

Analysis Overview

Vector

Payload-based

Goal

Malware Delivery

Tactic

Fake Attachment
Free Webmail Account
Spoofed Display Name

Theme

Cryptocurrency

Impersonated Party

External Party - Vendor/Supplier

See How Abnormal Stops Emerging Attacks

See a Demo