In this likely AI-generated phishing attack, the threat actor compromises an email account and impersonates the Australia and New Zealand Banking Group (ANZ) to deceive recipients with a fraudulent security notice. The email, sent from a potentially compromised address belonging to an employee at a fine arts academy in Italy, uses official-sounding language and incorporates ANZ branding to enhance the appearance of legitimacy and manufacture a sense of urgency. Claiming that new security measures have been introduced to protect the recipient's financial information, it directs the recipient to click on a link "https://fressveggies[.]com" purportedly to apply these updates. However, this link leads to a phishing site that steals sensitive information. This attack illustrates the sophisticated tactics employed by threat actors to exploit the trust associated with well-known financial institutions and the urgency of emails related to bank account security. 

Older, legacy email security tools struggle to accurately identify this email as an attack because it comes from a compromised legitimate account, contains no malicious attachments, and employs social engineering tactics. Modern, AI-powered email security solutions detect anomalies in the content, recognize the message comes from an unknown sender, and analyze the reputation and history of the included link to mark this email as an attack correctly.

Status Bar Dots
May 2nd Screenshot

Phishing email with call to action sent from a compromised legitimate account.

How Does This Attack Bypass Email Defenses?

This email attack bypasses traditional security solutions for multiple reasons, including the following:

  • Compromised Legitimate Account: The email is sent from a potentially compromised legitimate email address, making it difficult for legacy systems to detect it as malicious.
  • Lack of Malicious Attachments: Many legacy security tools rely on scanning attachments for malware. This attack does not use attachments, relying instead on phishing links, which can sometimes evade detection.
  • Social Engineering Tactic: The email's urgent call to action, emphasizing security, is designed to prompt immediate user response without scrutiny, bypassing content filters that don't flag security reminders.

How Did Abnormal Detect This Attack?

This attack was detected using AI and ML by analyzing various factors, including the following:

  • Content Anomaly Detection: The email’s urgent message about enhancing account security and directing recipients to click a link is flagged by Abnormal’s content analysis algorithms as a common phishing tactic.
  • Unknown Sender Consideration: The email comes from an unknown sender who has never communicated with the recipient. Abnormal maintains a communication history and quickly flags deviations from established patterns of sender-recipient interactions.
  • Link Analysis: The phishing link “https://fressveggies[.]com” is scrutinized for its reputation and past activity. It raises suspicion due to its context within the email and the potential for malicious activity.

By recognizing established normal behavior and detecting these abnormal indicators, a modern email security solution has the ability to prevent this attack from reaching inboxes.

Please note the exact detection mechanism from Abnormal Security's system might include proprietary techniques and methodologies not disclosed here.

Analysis Overview

Vector

Link-based

Goal

Credential Theft

Tactic

External Compromised Account
Masked Phishing Link

Theme

Security Update
Financial Services

Impersonated Party

Brand

Impersonated Brands

Australia and New Zealand Banking Group

AI Generated

Likely

See How Abnormal Stops Emerging Attacks

See a Demo