Credential Phishing Attack Masquerades as an Employee Training Invoice
In this attack, a company executive received an email indicating it included an invoice for training. The email was configured to hide the sender’s email address and the sending display name was set to “I N VOICE-176152,” which included hidden encoded characters. An analysis of the email headers indicated that the email was sent using a compromised external domain.
How Does This Attack Bypass Email Defenses?
This attack contained hidden encoded characters, which prevents threat detection tools relying on identifying known malicious text strings from identifying the email as a threat. Because the sender’s email address was hidden, it wouldn’t have been able to compare it to known malicious accounts. Because the files associated with this attack contained source code that had been obfuscated, a basic scan of the file to identify malicious artifacts, such as URLs, could not be performed.
How Can This Attack Be Detected?
HTML attachments are commonly used to deliver phishing payloads without having to include the malicious content in the email itself. The use of obfuscated source code is a common tactic in phishing attacks. Additionally, an in-depth analysis of files, rather than simply scanning raw source code, could result in the identification of malicious artifacts. The absence of a sending email address is indicative of behavior from a malicious source. A holistic detection system that is able to extract and analyze URLs from email attachments is required to assess the intent of any links, alongside other signals acquired through content analysis, to determine whether the email is malicious.
What are the Risks of This Attack?
If an employee entered credentials into the phishing page, attackers would have full access to their email account, which they can then use to look for sensitive information or as a launch point for other attacks on the employee’s coworkers, customers, or vendors.