In this phishing attack, threat actors impersonate myGov, an Australian government services platform, and email the target an urgent notification. To increase the appearance of authenticity, the attacker incorporates myGov branding and spoofs the legitimate domain of a Spanish consulting firm to improve the likelihood of the message being successfully delivered. The message claims that the recipient has important details to complete and prompts immediate action to "Proceed Now" before a specified deadline. The embedded link purportedly directs the recipient to a myGov webpage to provide the requested information. However, should the target click on the link, they will actually be redirected to a phishing page designed to steal sensitive information.

Older, legacy email security tools struggle to accurately identify this email as an attack because it originates from a spoofed email address, employs sophisticated social engineering techniques, and lacks malicious attachments. Modern, AI-powered email security solutions recognize that the sender is unknown to the recipient, detect suspicious links in the message, and conduct advanced content analysis to correctly flag this email as an attack.

Status Bar Dots
SCR 20240807 mlyo

Threat actor posing as myGov through a phishing email

How Does This Attack Bypass Email Defenses?

This email attack bypasses traditional security solutions for multiple reasons, including the following:

  • Spoofed Email Address: The attacker spoofs a legitimate email address, bypassing basic email verification checks and adding perceived authenticity.
  • Social Engineering Tactic: The claim that the recipient has urgent details to complete creates a sense of urgency, prompting recipients to act without careful scrutiny.
  • Absence of Malicious Attachments: By not including suspicious attachments, the email avoids detection by antivirus and anti-malware systems focused on attachment-based threats.

How Did Abnormal Detect This Attack?

This attack was detected using AI and ML by analyzing various factors, including the following:

  • Unknown Sender Consideration: The email is recognized as coming from an unknown sender who has never communicated with the recipient. Abnormal’s platform maintains a communication history and quickly flags deviations from established patterns of sender-recipient interactions.
  • Suspicious Link Analysis: Abnormal's systems scrutinize the presence of a link leading to a suspicious domain which triggers deeper analysis for possible malicious intent.
  • Content Analysis: Abnormal flags the email’s urgent message about important details to complete as a common phishing tactic.

 By recognizing established normal behavior and detecting these abnormal indicators, a modern email security solution has the ability to prevent this attack from reaching inboxes.

Please note the exact detection mechanism from Abnormal Security's system might include proprietary techniques and methodologies not disclosed here.

Analysis Overview

Vector

Link-based

Goal

Credential Theft

Tactic

Maliciously Registered Domain
Spoofed Email Address
Masked Phishing Link

Theme

Account Update

Impersonated Party

Government Agency

Impersonated Brands

myGov

See How Abnormal Stops Emerging Attacks

See a Demo