This attack is a phishing attempt in which the attacker pretends to be from LinkedIn’s billing department. The attacker states that in the wake of Silicon Valley Bank Closing, LinkedIn has switched to a new banking provider and requests that the recipient update their banking information. By utilizing a notable news event and pretending to be from a large company, the attacker attempts to leverage authority and create a sense of urgency. In an attempt to further avoid detection, the attacker used a lowercase l instead of an uppercase I in the domain “@recievables--linkedln.com,” since the recipient could mistake that for LinkedIn if they were quickly glancing at the domain. This likely AI-generated attack highlights how attackers are able to easily create email content surrounding current events in an effort to appear like legitimate company communications. 

Older email security tools likely have trouble detecting this as an attack because of the lack of malicious links or attachments, the impersonation of a trusted brand, and the high level of social engineering. Advanced, AI-powered security solutions recognize the domain age, unusual sender behavior, and the entity spoofing to correctly label this as an attack.

Status Bar Dots
Aug9 Screenshot

How Does This Attack Bypass Email Defenses?

This email attack bypasses traditional security solutions for multiple reasons, including the following:

  • No Malicious Links or Attachments: Traditional email security tools often rely on detecting malicious links or attachments. This email does not contain any, making it harder for those tools to flag it as suspicious.
  • Spoofing Trusted Entities: The attacker is impersonating a trusted entity (LinkedIn Corporation). This can make it harder for traditional tools to detect the email as malicious, especially if the spoofed email address is similar to the real one.
  • Social Engineering: The email uses social engineering techniques to convince the recipient to take action. Traditional email security tools may not be able to detect these techniques as they require understanding the context and intent of the message.

How Did Abnormal Detect This Attack?

This attack was detected using AI and ML by analyzing various factors, including the following:

  • Domain Age: The age of the domain is only 17 days old. Abnormal considers this as a strong signal for a potentially malicious email, as attackers often use newly registered domains to avoid detection by traditional threat intelligence-based tools.
  • Unusual Sender Behavior: Abnormal’s AI detected that the fully qualified domain name (FQDN) and the email used to send this message are unknown and have never been used to send messages to this company in the past. 
  • Spoofing Detection: The system detected that the attacker is spoofing a trusted entity . The actual email address (katie.stone@receivables--linkedln.com) is different from the entity it's claiming to be, despite looking similar. The attacker used a lowercase l instead of an uppercase I in the domain @recievables--linkedln.com.


By recognizing established normal behavior and detecting these abnormal indicators, a modern email security solution has the ability to prevent this attack from reaching inboxes.

Please note the exact detection mechanism from Abnormal Security's system might include proprietary techniques and methodologies not disclosed here.

Analysis Overview

Vector

Payload-based

Goal

Payment Fraud

Tactic

Maliciously Registered Domain

Theme

Account Update

Impersonated Party

External Party - Vendor/Supplier

Impersonated Brands

LinkedIn

AI Generated

Likely

See How Abnormal Stops Emerging Attacks

See a Demo