Credential Phisher Uses Legitimate Email Marketing Platform to Send Fake Voicemail Alert
In this credential phishing attack, the threat actor impersonates a real law firm and emails the target a message designed to look like a voicemail notification. To send the malicious message, the attacker uses the compromised Constant Contact account of a legitimate marketing agency. Because Constant Contact is a well-known, trusted email marketing software, it adds the appearance of legitimacy to the attack. The threat actor also changes the sender display name to include the name of the law firm and its actual phone number, which they include in the subject line and body of the email as well. Thus, if the target looks up the phone number, the search engine results will show it as a real contact number. In the body of the email is a button that the target can purportedly click to listen to the voicemail. However, the button is actually linked to a phishing page where sensitive information will be stolen if it’s entered.
Older, legacy email security tools struggle to accurately flag this email as an attack because it utilizes a legitimate email marketing service, employs sophisticated social engineering techniques, and contains no malicious attachments. Modern, AI-powered email security solutions analyze the links, content, and unknown sender to correctly mark this email as an attack.
How Does This Attack Bypass Email Defenses?
This email attack bypasses traditional security solutions for multiple reasons, including the following:
- Reputation Exploitation of Legitimate Services: The attacker's use of Constant Contact, a well-respected email marketing platform, helps the malicious email bypass legacy security tools. These tools often whitelist or are less stringent with emails coming from reputable services, under the assumption that these platforms are safe and their content is legitimate.
- Sophisticated Social Engineering: The email employs advanced social engineering tactics, such as impersonating a voicemail notification, which legacy tools might not be equipped to detect. These tools often rely on signature-based detection for known bad content and might not recognize the subtleties of social engineering attacks that exploit human psychology rather than technical vulnerabilities.
- Lack of Malicious Attachments: Since the email does not contain traditional malicious attachments (e.g., executable files or documents with macros), it can easily bypass security tools that scan attachments for known malicious signatures. The attack instead uses a deceptive link, which might not be flagged by systems that primarily focus on attachment-based threats.
How Did Abnormal Detect This Attack?
This attack was detected using AI and ML by analyzing various factors, including the following:
- Link Analysis: Abnormal examines URLs embedded in emails, even if they are disguised as benign buttons or links. The platform assesses the reputation of the linked domain, analyzes the content of the landing page, and evaluates the risk in real time to effectively identify phishing websites.
- Content Analysis: Abnormal analyzes the language used, the presence of urgency cues, impersonation of services (like voicemail notifications), and other psychological manipulation techniques. This helps in detecting phishing attempts that might not contain traditional malicious payloads and instead rely on deception.
- Unknown Sender Analysis: Abnormal analyzes the behavior of the sender, such as the fact that this is the first time they have sent an email to the recipient, and identifies this as a potential sign of a phishing attempt.
By recognizing established normal behavior and detecting these abnormal indicators, a modern email security solution has the ability to prevent this attack from reaching inboxes.
Please note the exact detection mechanism from Abnormal Security's system might include proprietary techniques and methodologies not disclosed here.