Generic Email Support Team Impersonated in Password Change Malware Attack

In this phone fraud scam, attackers use a generic Email Support Team persona and inform the recipient that a password reset has been attempted and they must verify their identity. The attacker includes a phone number and a verification code, telling the victim that they must call the number if they are not the ones who have requested the password reset. To add legitimacy, the email states that they will never ask for the password, and any suspicious emails with password reset links should be reported to technical support for investigation.  

This is a unique approach to these types of attacks, as the next phase is to ensure the victim calls the number included in the email. Upon doing so, they will likely be asked to download a document to verify their identity. That document, of course, contains malware.

The attack uses display name deception with a Gmail address, so there is no bad reputation associated with the domain, and no malicious links or files to check. Because it relies on recipient emotion and the use of a phone call, there are no malicious indicators for a secure email gateway to discover and block. 

To detect the attack, an understanding of new threats is required alongside content analysis to detect the tone of the email and the included phone number. Lookalike content is also helpful to understanding how this attack relates to other phone-based text attacks, which have seen increased popularity in recent months due to their ability to bypass email gateways. 

While the email impersonates a generic support team, employees may be tricked into believing that it comes from their internal IT department. If this were the case and they called the number, they would be instructed to download a document containing malware onto the device. Once the malware is installed, attackers can perform a variety of nefarious actions, including escalating it into a ransomware attack.