In this phishing attack, cybercriminals use a spoofed email address to impersonate Adobe Acrobat Sign and deceive recipients into believing they need to review and sign a confidentiality agreement. The email uses the subject line "Required: A document has been sent to you" and claims that the recipient has been sent a document that requires their attention, which they can view using an embedded link. However, should the target click on the button labeled “Open agreement”, they will be redirected to a phishing site crafted to impersonate a Microsoft login portal that is designed to steal sensitive information such as login credentials or personal data. By including professional language, Adobe branding, and familiar terminology associated with document sharing, the attacker creates a sense of urgency and authenticity, which can manipulate the recipient into clicking the link without questioning its legitimacy, potentially compromising their security.

Older, legacy email security tools struggle to accurately identify this email as an attack because it is sent from a spoofed email address, lacks obviously malicious attachments, and employs the use of a legitimate link. Modern, AI-powered email security solutions recognize the sender domain does not match any domains in the message, detect links to suspicious domains, and flag that the sender is unknown to the recipient to correctly identify the email as an attack.

Status Bar Dots
Adobe Acrobat Sign Impersonator Confidentiality Agreement Email

Malicious email posing as an Adobe Acrobat Sign request

Status Bar Dots
Adobe Acrobat Sign Impersonator Confidentiality Agreement Login Portal

CAPTION

How Does This Attack Bypass Email Defenses?

This email attack bypasses traditional security solutions for multiple reasons, including the following:

  • Spoofed Email Address: The attacker spoofs a legitimate email address, bypassing basic email verification checks and adding perceived authenticity.
  • Absence of Malicious Attachments: By not including suspicious attachments, the email avoids detection by antivirus and anti-malware systems focused on attachment-based threats.
  • Legitimate Link: The link included in the email redirects through a legitimate service that scans for email-based threats, allowing it to pass basic verification checks because of its seemingly legitimate structure.

How Did Abnormal Detect This Attack?

This attack was detected using AI and ML by analyzing various factors, including the following:

  • Unusual Sending Behavior: The sender domain does not match any of the domains found in the body links, raising further suspicion.
  • Suspicious Link Analysis: Abnormal's systems scrutinize the presence of a link leading to a suspicious domain, triggering deeper analysis for possible malicious intent.
  • Unknown Sender Consideration: The email is recognized as coming from an unknown sender who has never communicated with the recipient. Abnormal’s platform maintains a communication history and quickly flags deviations from established patterns of sender-recipient interactions.

By recognizing established normal behavior and detecting these abnormal indicators, a modern email security solution has the ability to prevent this attack from reaching inboxes.

Please note the exact detection mechanism from Abnormal Security's system might include proprietary techniques and methodologies not disclosed here.

Analysis Overview

Vector

Link-based

Goal

Credential Theft

Tactic

Spoofed Display Name
Masked Phishing Link
Branded Phishing Page

Theme

Legal Matter
Fake Document

Impersonated Party

Brand

Impersonated Brands

Adobe

See How Abnormal Stops Emerging Attacks

See a Demo