In this credential phishing attack, the threat actor impersonates Chase Bank and uses Google Drive to send a PDF with an embedded malicious link. The attacker titles the PDF "INSTANT CONFIRMATION REQUIRED! YOUR ACCESS ID LOCKED DUE TO UNAUTHORIZED ACTIVITY- MESID-UX28A8.pdf" to create a sense of urgency by convincing the target that unauthorized access to their account has been detected. Contained within the PDF is a link to a credential phishing website where sensitive information is at risk if the recipient engages.

To increase the appearance of legitimacy, the threat actor includes a standard verification check in the PDF that many online services use to check for bots. Additionally, the email address "lonsijefzei2000@connect.allowaccessacount[.]eu" and the display name "Chase Bank confer" the attacker uses for their Google Drive account are designed to impersonate official Chase Bank communications. Because the attacker uses Google Drive to send this malicious PDF, a recipient might mistake it for official communications and click the phishing link within the file. 

Older, legacy email security tools struggle to identify this email as an attack because of the legitimate link, legitimate sender domain, and social engineering techniques. Modern AI-powered email security solutions assess the email subject and links in the email body and use behavioral analysis to flag this email as an attack correctly.

Status Bar Dots
Nov22 Screenshot 1
Status Bar Dots
Nov22 Screenshot 2

The attached PDF has an embedded phishing link.

How Does This Attack Bypass Email Defenses?

This email attack bypasses traditional security solutions for multiple reasons, including the following:

  • Legitimate Links: The links in the email are to files hosted on Google Drive, a legitimate and commonly used service. This can make it harder for security tools to identify them as potentially malicious.
  • Legitimate Sender Domain: The email is sent from "drive-shares-dm-noreply@google[.]com," a legitimate Google domain. Using a legitimate domain can allow attackers to evade security checks that rely on domain reputation to determine authenticity.
  • Social Engineering: The email uses social engineering techniques, such as urgency "INSTANT CONFIRMATION REQUIRED!" and fear "YOUR ACCESS ID LOCKED DUE TO UNAUTHORIZED ACTIVITY," to trick the recipient into clicking the link. These techniques can be difficult for legacy security tools to detect.

How Did Abnormal Detect This Attack?

This attack was detected using AI and ML by analyzing various factors, including the following:

  • Suspicious Email Subject: The email's subject is designed to create a sense of urgency and fear, a common tactic used in phishing attacks. Abnormal recognizes these tactics and flags the email as potentially malicious.
  • Links in the Email Body: The email contains links to a Google Drive file. Abnormal analyzes these links and determines they are potentially malicious, even though they point to a legitimate file-sharing service.
  • Behavioral Analysis: Abnormal uses behavioral analysis to detect anomalies in the sender's behavior. In this case, the sender's behavior was flagged as suspicious due to using a suspicious-looking reply-to address.

By recognizing established normal behavior and detecting these abnormal indicators, a modern email security solution has the ability to prevent this attack from reaching inboxes.

Please note the exact detection mechanism from Abnormal Security's system might include proprietary techniques and methodologies not disclosed here.

Analysis Overview

Vector

Link-based

Goal

Credential Theft

Tactic

Masked Phishing Link
Branded Phishing Page

Theme

Suspicious Account Activity
Account Verification
Fake Document

Impersonated Party

Brand

Impersonated Brands

Chase

See How Abnormal Stops Emerging Attacks

See a Demo