Likely AI-Generated Phishing Attack Exploits Compromised Email to Impersonate New York State Department of Taxation
In this likely AI-generated phishing attack, cybercriminals use a compromised email address to impersonate a representative of the New York State Department of Taxation. The email, titled "Urgent: Notice of Tax Violation and False Entries," claims an investigation revealed potential tax violations in the recipient’s past filings, such as false entries, falsified invoices, and discrepancies in financial statements. The email warns of significant consequences—including audits, investigations, and possible prosecution—if the issue is not resolved promptly. The attacker instructs the recipient to contact them via an unofficial email address, "nystax1@protonmail[.]com," to resolve the issue. Anticipating that the target may be suspicious of a request to correspond with an address not hosted on a .gov domain, the attacker includes a note informing the recipient they have “chosen to utilize this non-official channel to ensure the utmost confidentiality.” The threat actor’s goal is not to deceive the target into clicking a malicious link or downloading a malicious payload but instead compel the recipient to engage with them so they can begin the next stage of the attack. By leveraging the trusted authority of the New York State Tax Department and instilling a sense of urgency and fear, the attacker hopes to manipulate the recipient into responding and potentially providing sensitive information.
Older, legacy email security tools struggle to accurately identify this email as an attack because it uses a legitimate compromised email address, does not employ the use of direct links, and lacks malicious attachments. Modern, AI-powered email security solutions recognize that the sender is unknown to the recipient, detect differences between the reply-to and sender addresses, and use advanced content analysis to correctly flag this email as an attack.
Email from compromised account informing target of fabricated tax violations in attempt to compel target to reply
How Does This Attack Bypass Email Defenses?
This email attack bypasses traditional security solutions for multiple reasons, including the following:
- Compromised Email Address: The attacker uses a legitimate email address from a compromised account, bypassing basic email verification checks and adding perceived authenticity. Traditional email defenses may not flag the message because the email comes from a known domain, making it appear trustworthy.
- Absence of Direct Links: Instead of including direct links, the attacker instructs the recipient to respond to an email address. This method circumvents link verification checks, which are often a primary focus for legacy security tools.
- Absence of Malicious Attachments: By avoiding the use of attachments, the email evades detection by antivirus and anti-malware systems that are primarily designed to detect attachment-based threats. This tactic leverages the blind spots of traditional defenses.
How Did Abnormal Detect This Attack?
This attack was detected using AI and ML by analyzing various factors, including the following:
- Unknown Sender Consideration: Abnormal's platform identifies the email as originating from an unknown sender with no prior communication history with the recipient. By maintaining a comprehensive communication history, Abnormal quickly flags deviations from typical sender-recipient interactions, signaling a potential threat.
- Suspicious Reply-to Address: Abnormal's systems detect the presence of an unofficial reply-to address that differs from the sender’s legitimate email address. This anomaly raises a red flag, prompting deeper analysis by Abnormal’s platform to assess the potential risk of the communication.
- Content Analysis: Using sophisticated content analysis algorithms, Abnormal flags the email's urgent message about tax violations as a classic phishing tactic. The platform's AI models scrutinize the language and context of the message, identifying patterns consistent with phishing attempts designed to provoke fear or urgency.
By recognizing established normal behavior and detecting these abnormal indicators, a modern email security solution has the ability to prevent this attack from reaching inboxes.
Please note the exact detection mechanism from Abnormal Security's system might include proprietary techniques and methodologies not disclosed here.