Microsoft Impersonator Sends Fraudulent Device Registration Alert in Vishing Attack
In this vishing attack, cybercriminals send an email from a malicious Gmail address, impersonating Microsoft to deceive recipients with a fabricated security alert. The email falsely claims that a new device has been registered to the recipient's Microsoft account, detailing a sign-in attempt from Lagos, Nigeria. To instill urgency and prompt action, the email provides a fraudulent toll-free number for the recipient to contact "Microsoft Support" if they do not recognize the device. However, should the target call the provided phone number, they will be connected with the attacker, who will likely ask for sensitive information, such as account details or personal data, that can be used to compromise the target’s account.
Older, legacy email security tools struggle to accurately identify this email as an attack because it is sent from a reputable email provider and contains neither a malicious link nor an attachment. Modern, AI-powered email security solutions flag that the sender is unknown to the recipient, detect suspicious patterns in the content of the email, and recognize that the sender name does not match the sender domain to correctly identify the email as an attack.
Attackers exploit familiar Microsoft branding in order to trick targets into providing sensitive information
How Does This Attack Bypass Email Defenses?
This email attack bypasses traditional security solutions for multiple reasons, including the following:
- Reputable Email Provider: The attacker uses a Gmail address, which is a known and reputable provider that will likely not be flagged by basic email filters, adding perceived authenticity.
- Lack of Malicious Links: The absence of direct malicious links in the email body helps it avoid detection by legacy systems that typically rely on link scanning to identify phishing emails.
- Absence of Attachments: By not including any attachments, the email avoids detection by antivirus and anti-malware systems focused on attachment-based threats.
How Did Abnormal Detect This Attack?
This attack was detected using AI and ML by analyzing various factors, including the following:
- Unknown Sender Consideration: The email is recognized as coming from an unknown sender who has never communicated with the recipient. Abnormal’s platform maintains a communication history and quickly flags deviations from established patterns of sender-recipient interactions.
- Content Analysis: The email’s urgent message about securing the recipient's device due to a sign-in from an unfamiliar location is flagged by Abnormal’s content analysis algorithms as a common phishing tactic.
- Sender Name and Domain Mismatch: The sender name does not match the sender domain, raising further suspicion during Abnormal’s analysis.
By recognizing established normal behavior and detecting these abnormal indicators, a modern email security solution has the ability to prevent this attack from reaching inboxes.
Please note the exact detection mechanism from Abnormal Security's system might include proprietary techniques and methodologies not disclosed here.