In this phishing attack, the threat actor impersonates the password manager service Dashlane by using a lookalike domain "dashlaneinc[.]com" to deceive recipients. The email claims that some of the recipient’s contact information is out of date and needs to be verified to maintain full access to their Dashlane account. The message emphasizes the principles of security and confidentiality, urging the recipient to log in and confirm their information before a specified date to avoid disabling certain account features. The email includes a link "ct.automizy[.]com" under the prompt "Confirm my information," which leads to a phishing website designed to steal sensitive information. To increase the appearance of legitimacy, the attacker uses professional language and Dashlane branding. By leveraging the urgency of account verification and the trusted brand of Dashlane, the attacker manipulates the recipient into disclosing sensitive personal data under the guise of maintaining their account security. This sophisticated social engineering tactic aims to exploit the recipient's trust and prompt immediate action without verifying the email's authenticity.

Older, legacy email security tools struggle to accurately identify this email as an attack because it originates from a lookalike domain, employs sophisticated social engineering techniques, and lacks malicious attachments. Modern, AI-powered email security solutions recognize the sender is unknown to the recipient, detect suspicious links in the message, and conduct advanced content analysis to correctly flag this email as an attack.

Status Bar Dots
SCR 20240719 kyqo

Phishing attempt impersonating Dashlane sent using lookalike domain

How Does This Attack Bypass Email Defenses?

This email attack bypasses traditional security solutions for multiple reasons, including the following:

  • Lookalike Domain: The email is sent from a lookalike domain "dashlaneinc[.]com" that closely resembles the legitimate Dashlane domain, making it difficult for basic domain filters to detect the deception.
  • Social Engineering Tactic: The email claims that some account information is out of date and must be verified immediately in an attempt to prompt the recipient to act quickly without verifying the authenticity of the email.
  • Absence of Malicious Attachments: By not including suspicious attachments, the email avoids detection by antivirus and anti-malware systems focused on attachment-based threats.

How Did Abnormal Detect This Attack?

  • Unknown Sender: The email is recognized as coming from an unknown sender who has never communicated with the recipient. Abnormal’s platform maintains a communication history and quickly flags deviations from established patterns of sender-recipient interactions.
  • Suspicious Link Analysis: The presence of a link "ct.automizy[.]com" directing the recipient to confirm their information raises suspicion, prompting Abnormal’s systems to scrutinize and flag the email for potential malicious activities.
  • Content Analysis: Abnormal’s content analysis algorithms flag the urgent message about verifying account information and the prompt to confirm details by a specific date as a common phishing tactic.

 By recognizing established normal behavior and detecting these abnormal indicators, a modern email security solution has the ability to prevent this attack from reaching inboxes.

Please note the exact detection mechanism from Abnormal Security's system might include proprietary techniques and methodologies not disclosed here.

Analysis Overview

Vector

Link-based

Goal

Credential Theft

Tactic

Maliciously Registered Domain
Look-alike Domain
Masked Phishing Link

Theme

Account Verification

Impersonated Party

Brand

Impersonated Brands

Dashlane

See How Abnormal Stops Emerging Attacks

See a Demo