Internal Account Takeover Leads to Lateral Phishing via Wix-Hosted Data Collection Form
Attack Overview
Step 1: Email
This attack begins with a successful account takeover. Using that compromised account, the attacker sends a phishing email to coworkers within the same organization, making the message appear internal and trustworthy.
- Sent from a verified internal account.
- Message appears routine and business-relevant.
- Includes a link to a web form hosted externally.
Step 2: Phishing Form Hosted on Wix
Targets who click the PandaDoc link find a blank or non-functional document. The attacker uses this as a social engineering trick to direct them to manually open the Dropbox link.
- Hosted on a legitimate cloud web design platform (Wix).
- Form asks for names, phone numbers, passphrases, and birthdates.
- No overt signs of malicious intent, adding to its deception.
How Does This Attack Bypass Email Defenses?
This email attack bypasses traditional security solutions for several reasons, including:
- Originated from a domain that passed authentication checks.
- Was sent internally, bypassing external threat filters.
- Used a legitimate hosting platform to avoid raising suspicion.
How Did Abnormal Detect This Attack?
This attack was detected using AI and ML by analyzing various factors, including:
- Unusual internal communication patterns.
- NLP analysis of the form’s solicitation language.
- Sender behavior inconsistent with typical usage patterns.
By recognizing established normal behavior and detecting these abnormal indicators, a modern email security solution has the ability to prevent this attack from reaching inboxes.
Please note the exact detection mechanism from Abnormal Security's system might include proprietary techniques and methodologies not disclosed here.