Attacker Utilizes Fake Voicemail Attachment in Malware Delivery
This malware attack features a fake voicemail notification with an attachment designed to look like an audio file. The attacker incorporates several audio-related icons into the attachment's filename to make the file resemble an authentic voicemail. In reality, the attachment is an HTML file that, if clicked on, will likely install malware on the recipient's computer. To appear legitimate, the attacker uses "nisd-voicemail@bolzins[.]com" as a mask, which does not immediately look like spam or a dangerous domain.
Older, legacy email security tools have difficulty identifying this email as an attack due to the attacker's use of a spoofed email address as well as the inability of the software to analyze the content of the attachment or detect voicemail phishing. Modern, AI-powered security tools holistically analyze the content and attachments of the email and use advanced voicemail phishing detection techniques to flag this email as an attack.
How Does This Attack Bypass Email Defenses?
This email attack bypasses traditional security solutions for multiple reasons, including the following:
- Spoofed Email Address: The email appears to be sent from a legitimate email address, "nisd-voicemail@bolzins[.]com," which could bypass security checks that only look at the sender's email address.
- Suspicious Attachment: The email contains an attachment with a suspicious file name and type "Audio-0059secs.919-349-XXXX_wav_SILENTCODERSLIMAHURUF[.]html." Legacy security tools may not be equipped to analyze the content of such attachments, allowing the email to bypass their filters.
- Voicemail Phishing: The email appears to be a voicemail phishing attempt, a type of attack that can be difficult for traditional security tools to detect. The subject and content of the email mimic a legitimate voicemail notification, which could trick both users and outdated security tools.
How Did Abnormal Detect This Attack?
This attack was detected using AI and ML by analyzing various factors, including the following:
- Advanced Email Analysis: Abnormal analyzes various aspects of an email, including the sender's domain, email address, and the content of the email. In this case, the system identified the sender's domain "bolzins[.]com" and email address "nisd-voicemail@bolzins[.]com" as unknown, which raised a red flag.
- Attachment Analysis: Abnormal analyzes the content of email attachments. In this case, the suspicious filename "Audio-0059secs.919-349-XXXX_wav_SILENTCODERSLIMAHURUF[.]html." and the type of the attachment likely contributed to the detection of the attack.
- Voicemail Phishing Detection: Abnormal detects voicemail phishing attempts, which can be difficult for traditional security tools to identify. The subject and content of the email mimic a legitimate voicemail notification, a common tactic used in such attacks.
By recognizing established normal behavior and detecting these abnormal indicators, a modern email security solution has the ability to prevent this attack from reaching inboxes.
Please note the exact detection mechanism from Abnormal Security's system might include proprietary techniques and methodologies not disclosed here.