Malware Attack Features Impersonation of Attorney and Malicious Attachment Disguised as Subpoena
In this malware attack, the threat actor impersonates a real attorney at a firm that works with State Farm Mutual Insurance Co. The attacker spoofs the domain “gimnasiokaipore[.]com” and uses a sender display name of “Blake Jones” in an attempt to appear more authentic. They also use the real email signature of the impersonated lawyer. The only body content in the email is a short message requesting that the recipient view the attached document—purportedly a subpoena for documents. However, the attachment is actually a malicious script that, if opened, will automatically download and infect the target’s computer with malware.
Older, legacy email security tools struggle to accurately detect this email as an attack because it contains an HTML attachment (which is not assumed to be malicious), uses targeting phishing techniques, and doesn’t include language typically associated with malicious emails. Modern AI-powered email security solutions analyze the attachments, detect the unknown sender, and scrutinize emails targeting high-profile recipients to correctly flag this email as an attack.
How Does This Attack Bypass Email Defenses?
This email attack bypasses traditional security solutions for multiple reasons, including the following:
- Use of HTML Attachment: The attacker includes an HTML attachment, which can bypass traditional security tools that primarily focus on detecting malicious executables or document macros. HTML attachments can contain hidden scripts or redirect users to phishing sites, which may not be detected by legacy systems.
- Targeted Phishing: The email is addressed to a specific high-profile individual within an organization. This kind of targeted phishing, or spear-phishing, can often bypass legacy security tools that are more geared toward detecting mass phishing attempts.
- Absence of Typical Phishing Language: The email does not contain typical phishing language or urgent calls to action that legacy tools often look for. Instead, it uses professional legal language, which can make it harder for traditional tools to identify it as a phishing attempt.
How Did Abnormal Detect This Attack?
This attack was detected using AI and ML by analyzing various factors, including the following:
- Attachment Analysis: Abnormal analyzes the content of email attachments, including HTML files. This allows it to detect potential threats that legacy systems might miss, such as hidden scripts or phishing redirects in HTML attachments.
- Unknown Sender: Abnormal uses behavioral analysis to detect anomalies in email communication. The sender's email address is an unknown email that the company has never sent emails to in the past, which is a strong signal of a potential threat.
- Targeted Attack Detection: Abnormal detects targeted phishing attacks, also known as spear-phishing. The email was sent to a specific high-profile individual within an organization, a common characteristic of spear-phishing attempts.
By recognizing established normal behavior and detecting these abnormal indicators, a modern email security solution has the ability to prevent this attack from reaching inboxes.
Please note the exact detection mechanism from Abnormal Security's system might include proprietary techniques and methodologies not disclosed here.