This attack features an impersonation of a health and wellness director at an Ivy League school via a compromised account and informs the recipient of a potential Monkeypox virus outbreak on-campus. The attacker includes a link to the profile of a university employee who has been exposed to the virus and asks the recipient if they’ve been in close contact with the infected employee. 

The link in the email is hidden with a URL shortener that redirects to a malicious site, which likely prompts the recipient to reveal email credentials in order to access the employee profile and determine who was infected. The attacker uses urgency regarding a recent public health crisis in an attempt to leverage authority and prompt the recipient to take immediate action. Adding further complexity is the likelihood this attack was AI-generated, as detected by Abnormal and confirmed by OpenAI Detector and GPTZero

Since the language sounds legitimate, the domain is known, and the URL in the email is shortened, legacy security tools have trouble detecting it as malicious. By performing advanced link analysis, account takeover detection, and sentiment analysis, modern email security solutions accurately flag this email as an attack.

Status Bar Dots
Monkeypox email attack

How Does This Attack Bypass Email Defenses?

This email attack bypasses traditional security solutions for multiple reasons, including the following:

  • Shortened URL: This email contains a link that directs to a URL shortener, which might circumvent detection by older systems that only analyze the destination domain.
  • Known Domain: Because the email is sent from a compromised account, the sender's email address and domain do not appear to be previously unknown or rare.
  • Legitimate-Sounding Language: The body of the email does not contain any obvious grammatical or spelling errors, making it harder for legacy tools to detect and for end-users to grasp that it is malicious.

How Can This Attack Be Detected?

This attack was detected using modern email security by analyzing various factors, including the following:

  • Advanced link analysis: The shortened link used in the email is analyzed to determine whether the destination URL is hosting malicious content, even though safe browsing tools may not have flagged it.
  • Account takeover detection: Modern email security tools can detect if the sender's email address has been compromised and is being used to send phishing emails to others.
  • Sentiment analysis: The tone and language used in the email can be analyzed with NLP. In this email, the attacker is using emotional manipulation tactics, including urgency and fear related to a potential monkeypox virus exposure.

By detecting these abnormal indicators and understanding known normal behavior, a modern email security solution can safeguard inboxes against this attack.

Please note the exact detection mechanism from Abnormal Security's system might include proprietary techniques and methodologies not disclosed here.

Analysis Overview

Vector

Link-based

Goal

Credential Theft

Tactic

External Compromised Account

Theme

Health Concern

Impersonated Party

Employee - Executive

See How Abnormal Stops Emerging Attacks

See a Demo