In this attack, the email contained a notification indicating the recipient’s company had updated their security with end-to-end encryption. The message contained a link that needed to be clicked in order to enable the new settings on all devices. The domain name of the target organization was referenced in the sending display name, as well as multiple times throughout the body of the message, making it seem like the email was set from an internal system. The email was sent from a likely compromised GoDaddy domain.

Status Bar Dots
Encryption Credential Phishing Email

If the recipient clicked on the “Enable Now” link in the email, they would have been directed to a phishing page that would be pre-filled with their email address and contained the logo of their company. The phishing page was hosted on legitimate Amazon AWS infrastructure. 

Status Bar Dots
Encryption Credential Phishing Page

How Does This Attack Bypass Email Defenses?

The URL found in the email is one that has not been previously detected as malicious, allowing it to bypass traditional tools that rely on known bad indicators. The link included in the email was hosted on legitimate Amazon AWS infrastructure and, given that the service is used for normal business purposes and thus, security tools wouldn’t be able to add the domain to a global blocklist. The compromised domain used to send the email was valid and had not been previously flagged as being used for malicious purposes.

How Can This Attack Be Detected?

A behavioral system is required to stop attacks that use never-before-seen URLs. By understanding the intent of the link, alongside other signals acquired through content analysis, a cloud email security platform understands when an email may be malicious. The sender’s display name resembles an administrator account; however, the email address has never been used to communicate with employees at the company.

What are the Risks of This Attack?

Because the phishing page contained company-specific branding, it may lead an employee to mistakenly believe that it is a legitimate login page. Furthermore, due to the fact that the sender’s display name has been spoofed to impersonate the company’s website support, an employee receiving the email may instinctively comply with the email since it appears to be an official announcement. Once an employee enters their credentials, attackers have full access to their email account, which they can then use to look for sensitive information or as a launch point for other attacks on the employee’s coworkers, customers, or vendors.

Analysis Overview

Vector

Link-based

Goal

Credential Theft

Tactic

Branded Phishing Page
Compromised Sending Domain
Legitimate Hosting Infrastructure

Theme

Security Update

Impersonated Party

Internal System

See How Abnormal Stops Emerging Attacks

See a Demo