HR Impersonator Spoofs Healthcare Advisory Company to Attempt Credential Theft
After spoofing a “two-bridge[.]com” email, an attacker sends an email explaining that a new employee handbook has been created and that all employees must electronically acknowledge and accept the new handbook by clicking the provided link. Two Bridge is a healthcare advisory firm based in the United States, so spoofing this domain enables the attacker to appear more legitimate. Upon further inspection, the attacker’s IP address is located in Lithuania, making it clear this email is not legitimate communications from Two Bridge and is a credential theft attempt. The link in the email leads to a phishing website where sensitive information is at risk.
Older, legacy email security tools struggle to accurately identify this email as an attack because of the spoofed email address, lack of attachments, and legitimate-looking content. Modern, AI-powered email security solutions analyze the links, detect the spoofed email address, and identify the unknown sender domain to correctly flag this email as an attack.
How Does This Attack Bypass Email Defenses?
This email attack bypasses traditional security solutions for multiple reasons, including the following:
- Spoofed Email Address: The email appears to come from a legitimate email address “sbhavnani@two-bridge[.]com,” which could bypass security checks that only look for known malicious senders.
- Lack of Attachments: This email does not contain any attachments. Many legacy email security tools are designed to scan attachments for malicious content, and since this email does not contain any attachments, it could bypass these security checks.
- Legitimate-Looking Content: The content of the email appears to be a legitimate request for employees to acknowledge an updated employee handbook. This could trick users into thinking the email is genuine and bypass security checks that look for known phishing or scam keywords.
How Did Abnormal Detect This Attack?
This attack was detected using AI and ML by analyzing various factors, including the following:
- Link Analysis: The email contains a link “myrezv.clicks.mlsend[.]com” that could potentially lead to a malicious website. Abnormal Security checks the safety of links in emails to protect against phishing attacks.
- Spoofed Email Address: Abnormal checks for spoofed email addresses. In this case, while the email initially appears to be sent from a legitimate email address “sbhavnani@two-bridge[.]com,” it is in fact spoofed, which is a common tactic used in phishing attacks.
- Unknown Sender Domain: The email comes from an unknown domain that the company has never sent messages to in the past. Abnormal tracks and flags emails from previously unseen domains.
By recognizing established normal behavior and detecting these abnormal indicators, a modern email security solution has the ability to prevent this attack from reaching inboxes.
Please note the exact detection mechanism from Abnormal Security's system might include proprietary techniques and methodologies not disclosed here.