In this attack, an email was sent to an employee that looked like a security alert, indicating the user’s data was recently accessed from an “unsecure location.” The email indicated there was an attached report that needed to be reviewed to prevent having their account locked. The message contains a header stating “This sender has been verified” to lend credibility and the email closes with a sign-off that reads, “This is an automated email, do not reply.” The sending email address was spoofed to match the recipient’s address and the sender’s display name included the employee’s company domain name to make it look like the email was being generated by an internal security alerting tool.

Status Bar Dots
Security Alert Phishing

Attached to the email was an HTML file named “Geo_LocSecure.html.” Had the target opened the file, a phishing page would have rendered that mimicked a Microsoft login page. The phishing page was pre-populated with the recipient’s email address and the login box was customized with the targeted company’s logo.

Status Bar Dots
Security Alert Phishing Page

How Does This Attack Bypass Email Defenses?

The URL within the attachment is one that has not been previously detected as malicious, allowing it to bypass traditional tools that rely on known bad indicators. The spoofed domain did not have an effective DMARC policy in place to reject any unauthorized senders that attempt to send emails from an address on the domain.

How Can This Attack Be Detected?

A holistic detection system that is able to extract and analyze URLs from email attachments is required to assess the intent of any links, alongside other signals acquired through content analysis, to determine whether the email is malicious. HTML attachments are commonly used to deliver phishing payloads without having to include the malicious content in the email itself. An analysis of the HTML file identified a URL that had not been previously detected as malicious. The sending and receiving email addresses in this email appeared to be identical, which is an indicator that this message is potentially malicious.

What are the Risks of This Attack?

Because the phishing page contained company-specific branding, it may lead an employee to mistakenly believe that it is a legitimate login page. If an employee entered credentials into the phishing page, attackers would have full access to their email account, which they can then use to look for sensitive information or as a launch point for other attacks on the employee’s coworkers, customers, or vendors. 

Analysis Overview

Vector

Payload-based

Goal

Credential Theft

Tactic

Self-Addressed Spoofed Email
Branded Phishing Page

Theme

Suspicious Account Activity

Impersonated Party

Internal System

See How Abnormal Stops Emerging Attacks

See a Demo