In this phishing attack, cybercriminals use a spoofed email address to impersonate the recipient’s internal HR department and send a fraudulent timesheet update notification. The email claims that new information has been added to the recipient's timesheet and prompts them to click on a link to view the details. However, the link directs the recipient to a malicious website designed to harvest sensitive information. To increase the appearance of credibility, the attacker mimics the language and structure typical of internal HR communications and creates a sense of urgency around an "important" timesheet update. This tactic makes the email appear legitimate with the goal of encouraging recipients to act quickly without verifying its authenticity.


Older, legacy email security tools struggle to accurately identify this email as an attack because it is sent from a spoofed email address,  includes embedded links to legitimate domains, and relies on a malicious link instead of a malicious attachment. Modern, AI-powered email security solutions flag that the sender is unknown to the recipient, detect links to suspicious domains, and recognize that the sender domain does not match any domains in the message to correctly identify the email as an attack.

Status Bar Dots
SCR 20241105 lfii

Phishing attempt disguised as a request to review timesheet update

How Does This Attack Bypass Email Defenses?

This email attack bypasses traditional security solutions for multiple reasons, including the following:

  • Spoofed Email Address: The attacker spoofs a legitimate-sounding email address, bypassing basic email verification checks and adding perceived authenticity.
  • Legitimate Links Included: The email includes links associated with recognizable domains, which can pass through basic link verification checks due to its legitimate structure.
  • Lack of Attachments: By not including any attachments, the email avoids detection by antivirus and anti-malware systems focused on attachment-based threats.

How Did Abnormal Detect This Attack?

This attack was detected using AI and ML by analyzing various factors, including the following:

  • Unknown Sender Consideration: The email is recognized as coming from an unknown sender who has never communicated with the recipient. Abnormal’s platform maintains a communication history and quickly flags deviations from established sender-recipient interaction patterns.
  • Suspicious Link Analysis: Abnormal's systems scrutinize the presence of links leading to suspicious domains, triggering deeper analysis for possible malicious intent.
  • Unusual Sending Behavior: The sender domain does not match any of the domains found in the body links, raising suspicion.

By recognizing established normal behavior and detecting these abnormal indicators, a modern email security solution has the ability to prevent this attack from reaching inboxes.

Please note the exact detection mechanism from Abnormal Security's system might include proprietary techniques and methodologies not disclosed here.

Analysis Overview

Vector

Link-based

Goal

Credential Theft

Tactic

Personalized Email Subject
Spoofed Email Address
Masked Phishing Link

Theme

Human Resources Announcement

Impersonated Party

Internal System

See How Abnormal Stops Emerging Attacks

See a Demo