In this attack, the email simply indicated that a new payment had been sent to the recipient and the funds would be available in their account in two business days. Attached to the email was a supposed confirmation of this payment, the filename of which matched the username of the recipient’s email address. The email was sent from an account set up on Ziggo, a Dutch free webmail provider. The display name of the sender included the domain of the recipient’s company, making it look like the email was an automated message from an internal system.

Status Bar Dots
ACH Payment Phishing Email

Had the recipient opened the HTML attachment, it would have redirected them to a phishing page with a login prompt. The phishing page contained a branded background image from the recipient’s company. The login prompt contained the recipient’s company logo and was prefilled with the recipient’s email address.

Status Bar Dots
ACH Payment Phishing Page

How Does This Attack Bypass Email Defenses?

The URL within the attachment is one that has not been previously detected as malicious, allowing it to bypass traditional tools that rely on known bad indicators. The email was sent from a Ziggo account, a free webmail service available to anyone. As a result, there is no bad domain reputation for traditional security providers to discover, and the email passes all authentication checks for SPF, DKIM, and DMARC.

How Can This Attack Be Detected?

A holistic detection system that is able to extract and analyze URLs from email attachments is required to assess the intent of any links, alongside other signals acquired through content analysis, to determine whether the email is malicious. HTML attachments are commonly used to deliver phishing payloads without having to include the malicious content in the email itself. The sender’s display name resembles an administrator account; however, the email address has never been used to communicate with employees at the company.

What are the Risks of This Attack?

Because the phishing page contained company-specific branding, it may lead an employee to mistakenly believe that it is a legitimate login page. If an employee entered credentials into the phishing page, attackers would have full access to their email account, which they can then use to look for sensitive information or as a launch point for other attacks on the employee’s coworkers, customers, or vendors.

Analysis Overview

Vector

Payload-based

Goal

Credential Theft

Tactic

Free Webmail Account
Branded Phishing Page

Theme

Fake Payment

Impersonated Party

Internal System

See How Abnormal Stops Emerging Attacks

See a Demo