In this phishing attack, cybercriminals use a compromised email address to deceive recipients with a fraudulent payment document notification. The email, titled "ACH PAYMENT DOCS," claims to be an invitation to review financial documents and includes a button purportedly linked to a payment confirmation for an invoice. The use of a compromised email address adds a layer of credibility, making the email seem like a legitimate internal request. Should the target click on the link labeled “PAYMENT FOR INV#87654678 VIEW”, they will first be prompted with a series of verification tests, including a traditional CAPTCHA and a Cloudflare Turnstile. This helps obscure the actual destination of the link from traditional security tools. Once they complete the verification tests, they will be directed to what appears to be a Microsoft login portal. However, the page is actually a phishing site designed to steal sensitive information, and if the target enters their credentials, they will be sent to the attacker.

Older, legacy email security tools struggle to accurately identify this email as an attack because it uses a legitimate compromised email address, lacks malicious attachments, and does not contain common phishing indicators. Modern, AI-powered email security solutions recognize that the sender is unknown to the recipient, analyze the suspicious link, and use advanced content analysis to correctly flag this email as an attack.

Status Bar Dots
SCR 20240906 nxtt

Malicious email sent from compromised address disguised as document notification

Status Bar Dots
SCR 20240906 nynq

First verification test target must complete

Status Bar Dots
SCR 20240906 nzcl 3

Second verification test target must complete

Status Bar Dots
SCR 20240906 nzqc

Phishing site designed to mimic Microsoft login portal

How Does This Attack Bypass Email Defenses?

This email attack bypasses traditional security solutions for multiple reasons, including the following:

  • Compromised Email Address: The attacker leverages a legitimate email address from a compromised account, allowing the email to bypass basic email verification checks and adding perceived authenticity. Traditional email security systems often fail to detect such tactics because they rely heavily on sender reputation, which appears legitimate in this case.
  • Absence of Malicious Attachments: By not including any suspicious attachments, the email avoids detection by antivirus and anti-malware systems that primarily focus on identifying attachment-based threats. This strategy exploits the limitations of legacy security tools that prioritize attachment scanning.
  • No Common Phishing Indicators: The email is crafted to avoid common phishing indicators, such as poor grammar and spelling mistakes, making it appear more legitimate to recipients. This tactic reduces the likelihood of being flagged by conventional content filters that depend on detecting such obvious signs of phishing.

How Did Abnormal Detect This Attack?

This attack was detected using AI and ML by analyzing various factors, including the following:

  • Unknown Sender Consideration: Abnormal's platform identifies the email as coming from an unknown sender with no prior communication history with the recipient. By maintaining a comprehensive communication history, Abnormal swiftly flags any deviations from typical sender-recipient interactions, helping to identify potential threats early on.
  • Suspicious Link Analysis: Abnormal’s systems analyze the presence of a link leading to a suspicious domain. This triggers a deeper investigation, utilizing Abnormal’s advanced algorithms to assess the risk and potential malicious intent behind the link, which traditional defenses might overlook.
  • Content Analysis: Abnormal's AI-driven content analysis algorithms flag the email's urgent message about reviewing payment documents as a common phishing tactic. The system scrutinizes the language and context of the email, recognizing patterns typical of phishing attempts designed to instill urgency or fear in the recipient.

By recognizing established normal behavior and detecting these abnormal indicators, a modern email security solution has the ability to prevent this attack from reaching inboxes.

Please note the exact detection mechanism from Abnormal Security's system might include proprietary techniques and methodologies not disclosed here.

Analysis Overview

Vector

Link-based

Goal

Credential Theft

Tactic

External Compromised Account
Masked Phishing Link

Theme

Fake Document
Fake Invoice
Fake Payment

Impersonated Party

External Party - Vendor/Supplier

See How Abnormal Stops Emerging Attacks

See a Demo