DHL Impersonator Spoofs Legitimate Domain to Send Fake Failed Shipment Notification in Phishing Attack
In this credential phishing attack, the threat actor spoofs a legitimate domain, “campaign.eventbrite[.]com” and then impersonates international shipping provider DHL to send a fake notification about a failed package delivery. Using a display name of “DHL” and authentic-sounding language, the attacker claims the target has a pending delivery that could not be delivered due to an incorrect shipping address. Included in the email is a link the recipient can purportedly use to update their address and pay associated shipping costs. However, the link likely leads to a phishing website where login credentials, payment details, or other sensitive information are at risk of being stolen.
Older, legacy email security tools struggle to accurately flag this email as an attack because it appears to come from a legitimate domain, contains no attachments, and has an unknown DMARC status. Modern, AI-powered email security solutions detect the phishing link and spoofed email address in addition to conducting a full behavioral analysis to correctly identify this email as an attack.
How Does This Attack Bypass Email Defenses?
This email attack bypasses traditional security solutions for multiple reasons, including the following:
- Spoofed Email Address: The email appears to be from a legitimate source “noreply@campaign.eventbrite[.]com,” which can bypass traditional security measures that rely on blacklisting known malicious email addresses.
- Lack of Attachments: This email does not contain any attachments. Many traditional security tools focus on scanning attachments for malicious content, so an email without attachments may not trigger these security measures.
- DMARC Failure: The DMARC status of this message is 4, which means it's unknown. DMARC is an email-validation system designed to detect and prevent email spoofing. A failure or unknown status could allow an email to bypass security measures.
How Did Abnormal Detect This Attack?
This attack was detected using AI and ML by analyzing various factors, including the following:
- Phishing Link in the Body: The email contains a phishing link in the body text. Abnormal's advanced detection models can scan the body text of an email for malicious links.
- Spoofed Email Address: The email appears to be from a legitimate source “noreply@campaign.eventbrite[.]com, but Abnormal recognizes that this may be a spoofed email address, even if it bypasses traditional security measures.
- Behavioral Analysis: Abnormal uses behavioral analysis to identify unusual patterns in the email, such as the request to confirm an address and pay a shipping cost, which can be indicative of a phishing attempt.
By recognizing established normal behavior and detecting these abnormal indicators, a modern email security solution has the ability to prevent this attack from reaching inboxes.
Please note the exact detection mechanism from Abnormal Security's system might include proprietary techniques and methodologies not disclosed here.