Fake Stripe Chargeback Alert Exploits PandaDoc to Steal Business Credentials
In this phishing attack, cybercriminals spoof PandaDoc, an e-signature platform, and send the target a message posing as the support team from Stripe, a payment processing solution. Using a spoofed email address designed to appear as a real PandaDoc account, the attacker emails the target informing them they have a secured message related to payouts. Clicking on “Open the Document” redirects the recipient to a file hosted on PandaDoc that contains impersonated Stripe branding and a message warning of a significant rise in customer chargebacks. The target is informed they must verify their business email within 48 hours or risk having their payouts paused. Should the recipient click the button labeled “Validate [recipient’s email]” embedded in the file, they will be redirected to a phishing site designed to steal sensitive information.
Older, legacy email security tools struggle to accurately identify this email as an attack because it originates from a spoofed address, contains no attachments, and includes legitimate links to bypass verification checks. Modern AI-powered email security solutions detect links to suspicious domains, flag that the message is coming from an unknown sender, and recognize the mismatch between the sender and reply to addresses to correctly identify the email as an attack.
To protect against such threats, users should verify communications directly through their official dashboard rather than interacting with unexpected emails. Additionally, businesses should educate employees on phishing tactics, implement multi-factor authentication, and deploy advanced email security tools to detect and block sophisticated scams like this one.
Malicious email disguised as shared document notification sent from Stripe via PandaDoc
File hosted on PandaDoc posing as verification request from Stripe
How Does This Attack Bypass Email Defenses?
This email attack bypasses traditional security solutions for multiple reasons, including the following:
- Spoofed Email Address: The attacker spoofs a legitimate-sounding email address, bypassing basic email verification checks and adding perceived authenticity.
- Lack of Attachments: By not including any attachments, the email avoids detection by antivirus and anti-malware systems focused on attachment-based threats.
- Legitimate Links Included: The email includes links associated with recognizable domains, which can pass through basic link verification checks due to its legitimate structure.
How Did Abnormal Detect This Attack?
How Did Abnormal Detect This Attack?
This attack was detected using AI and ML by analyzing various factors, including the following:
- Suspicious Link Analysis: Abnormal's systems scrutinize the presence of links leading to suspicious domains, triggering deeper analysis for possible malicious intent.
- Unknown Sender Consideration: The email is recognized as coming from an unknown sender who has never communicated with the recipient. Abnormal’s platform maintains a communication history and quickly flags deviations from established sender-recipient interaction patterns.
- Reply-to Address Mismatch: The email includes a reply-to address that differs from the sender's address, further raising suspicion and prompting Abnormal's systems to analyze the email more deeply.
By recognizing established normal behavior and detecting these indicators, a modern email security solution has the ability to prevent this attack from reaching inboxes.
Please note the exact detection mechanism from Abnormal Security's system might include proprietary techniques and methodologies not disclosed here.