Phisher Impersonates RingCentral and Sends Fake Voicemail Notification to Steal Credentials
In this phishing attack, cybercriminals send a malicious email using a free Japanese hosting service, cleverly disguising it as a legitimate voicemail notification from RingCentral, a popular communication platform. The email is crafted to appear as an authentic voicemail alert, complete with RingCentral branding, a detailed sender ID, and timestamps, creating a sense of legitimacy. It instructs the recipient to listen to the voicemail by clicking on a provided link, which redirects them to a page designed to appear as a Gmail login portal. However, should the target enter their credentials, they will be stolen by the attacker. The threat actor relies on commonly used communication platforms and a sense of urgency to manipulate the recipient into providing sensitive credentials, potentially granting the attacker access to corporate systems.
Older, legacy email security tools struggle to accurately identify this email as an attack because it is sent from a reputable email provider, employs the use of a legitimate link, and lacks malicious attachments. Modern, AI-powered email security solutions detect links to suspicious domains, recognize the sender domain does not match any domains in the message, and flag that the sender is unknown to the recipient to correctly identify the email as an attack.
Phishing attack impersonating a voicemail service to steal sensitive information
Malicious link leads to bogus Google login portal to steal credential information
How Does This Attack Bypass Email Defenses?
This email attack bypasses traditional security solutions for multiple reasons, including the following:
- Reputable Email Provider: The attacker uses a free Japanese hosting email service, which is less likely to be blacklisted and can bypass basic email filters.
- Legitimate Links: The email includes links associated with recognizable domains such as "ringcentral[.]com," which can pass link verification checks.
- Absence of Malicious Attachments: By not including suspicious attachments and instead using links, the email avoids detection by antivirus and anti-malware systems focused on attachment-based threats.
How Did Abnormal Detect This Attack?
This attack was detected using AI and ML by analyzing various factors, including the following:
- Suspicious Link Analysis: Abnormal's systems scrutinize the presence of links leading to suspicious domains, triggering deeper analysis for possible malicious intent.
- Unusual Sending Behavior: The sender domain does not match any of the domains found in the body links, raising further suspicion.
- Unknown Sender Consideration: The email is recognized as coming from an unknown sender who has never communicated with the recipient. Abnormal’s platform maintains a communication history and quickly flags deviations from established sender-recipient interaction patterns.
By recognizing established normal behavior and detecting these abnormal indicators, a modern email security solution has the ability to prevent this attack from reaching inboxes.
Please note the exact detection mechanism from Abnormal Security's system might include proprietary techniques and methodologies not disclosed here.