In this phishing attack, a threat actor impersonates Booking[.]com and emails the target regarding a recent reservation. Using a Gmail address to bypass basic verification checks, the attacker claims the travel site received a complaint from a customer regarding their recent hotel stay. The message requests that the recipient review the relevant documents using the provided link that purportedly leads to the complaint details. Should the target click on the link, they will be redirected to a page designed to appear as a Booking[.]com login page for property managers. However, the page is actually a phishing site designed to steal sensitive data, and any information entered into the page will be stolen by the attacker.

Older, legacy email security tools struggle to accurately identify this email as an attack because it originates from a legitimate-looking email address, employs sophisticated social engineering tactics, and lacks malicious attachments. Modern, AI-powered email security solutions recognize that the sender is unknown to the recipient, detect suspicious links in the message, and recognize the questionable reputation of the sending domain to flag this email as an attack correctly.

Status Bar Dots
SCR 20240822 nhbw

Malicious email sent from a legitimate-looking sender impersonating Booking[.]com

Status Bar Dots
SCR 20240822 nhwk

Phishing site disguised as vendor login page for Booking[.]com

How Does This Attack Bypass Email Defenses?

This email attack bypasses traditional security solutions for multiple reasons, including the following:

  • Legitimate-Looking Email Address: The email comes from a Gmail address, which may not be flagged as suspicious by basic email filters.
  • Social Engineering Tactic: The email claims that a customer complaint needs immediate attention, creating a sense of urgency and prompting immediate action.
  • Absence of Malicious Attachments: By not including suspicious attachments, the email avoids detection by antivirus and anti-malware systems focused on attachment-based threats.

How Did Abnormal Detect This Attack?

This attack was detected using AI and ML by analyzing various factors, including the following:

  • Unknown Sender Consideration: The email is recognized as coming from an unknown sender who has never communicated with the recipient. Abnormal’s platform maintains a communication history and quickly flags deviations from established patterns of sender-recipient interactions.
  • Suspicious Link Analysis: Abnormal's systems scrutinize the presence of a link leading to the suspicious domain "hotel48524[.]eu," triggering deeper analysis for possible malicious intent.
  • Reputation Analysis: The suspicious nature of the sending domain and the context of the email raise red flags during reputation checks.

By recognizing established normal behavior and detecting these abnormal indicators, a modern email security solution has the ability to prevent this attack from reaching inboxes.

Please note the exact detection mechanism from Abnormal Security's system might include proprietary techniques and methodologies not disclosed here.

Analysis Overview

Vector

Link-based

Goal

Credential Theft

Tactic

Free Webmail Account
Masked Phishing Link
Branded Phishing Page

Theme

Fake Document

Impersonated Party

Brand

Impersonated Brands

Booking.com

See How Abnormal Stops Emerging Attacks

See a Demo