This multi-layered malware delivery attack features the use of the file-sharing tool Smash. The attacker first gains control of the “bop-products.com” domain and impersonates Monica Nguyen, an accountant at B.O.P. Products. Acting as Monica, they use Smash, a legitimate file-sharing tool, to send a likely malware-infected PDF attachment labeled “B.O.P. Products, LLC Due Statement.pdf” to the recipient. While it may appear as though the file is a statement balance or invoice document, in all likelihood, the PDF contains malicious code that could infect the recipient’s computer when opened.

What initially makes this attack difficult for someone to detect is that the email is auto-generated from Smash, and the attacker is using a real domain. Additionally, the email contains two different links for the recipient to download the file, both leading to Smash’s website. By harnessing an authentic file-sharing tool, the attacker hopes the recipient falsely believes the downloadable file is safe. 

Legacy email security tools have difficulty detecting this email as an attack because of the legitimate email service used, the unknown sender, and the embedded links. Modern, AI-powered email security solutions analyze the links, sending domain, and sender behaviors to identify this email as an attack accurately.

Status Bar Dots
Sep13 Screenshot

How Does This Attack Bypass Email Defenses?

This email attack bypasses traditional security solutions for multiple reasons, including the following:

  • Legitimate Email Service: The email comes from Smash, a legitimate file-sharing service. Traditional security tools may not flag this as suspicious because the use of Smash is not inherently malicious.
  • Unknown Sender: The email is from an unknown sender that the recipient has never received emails from in the past. This could bypass security measures using only known malicious senders.
  • Embedded Links: The email contains multiple embedded links. Legacy security tools may be unable to effectively analyze these links for potential threats, especially if they lead to legitimate file-sharing websites.

How Did Abnormal Detect This Attack?

This attack was detected using AI and ML by analyzing various factors, including the following:

  • Link Analysis: Abnormal analyzes the links included in the email body. If these links lead to malicious or suspicious sites, this can indicate a potential threat.
  • Sender Analysis: Abnormal analyzes the sender's email and domain. In this case, the sender's email is unknown to the company, indicating a potential threat.
  • Behavioral Analysis: Abnormal harnesses AI to conduct behavioral analysis to identify unusual patterns that may indicate a threat. This can include things like the nature of the requested action (e.g., clicking on a link to download files).

By recognizing established normal behavior and detecting these abnormal indicators, a modern email security solution has the ability to prevent this attack from reaching inboxes.

Please note the exact detection mechanism from Abnormal Security's system might include proprietary techniques and methodologies not disclosed here.

Analysis Overview

Vector

Payload-based

Goal

Malware Delivery

Tactic

Legitimate Hosting Infrastructure

Theme

Fake Document

Impersonated Party

External Party - Vendor/Supplier

See How Abnormal Stops Emerging Attacks

See a Demo