Phishing Attack Impersonates Organ Transplant Organization Employee to Deliver Fake Voicemail
In this phishing attack, cybercriminals use a compromised email address to impersonate an employee at an organ transplantation organization. The fraudulent email claims that the recipient has received a voicemail from the employee and provides a link, "https://ringcentral-asts.webflow[.]io," that supposedly allows access to the voicemail. However, clicking the link directs the recipient to a phishing site designed to steal sensitive information. To create a sense of urgency and legitimacy, the email contains professional formatting, legitimate contact details, and familiar language regarding missed communications. By exploiting the routine context of a voicemail notification, the attacker manipulates the recipient into clicking the link without scrutinizing the email’s authenticity.
Older, legacy email security tools struggle to accurately identify this email as an attack because it originates from a legitimate compromised account, includes multiple links to known domains, and lacks obviously malicious attachments. Modern, AI-powered email security solutions analyze suspicious links, flag unusual content within the message, and recognize the email has been sent to a large number of people to correctly identify the email as an attack.
Phishing email claims to have missed voicemail from organ transplant employees
Threat actors use social engineering to trick recipients into clicking a malicious link
Malicious link leads targets to this portal to steal any sensitive information entered
How Does This Attack Bypass Email Defenses?
This email attack bypasses traditional security solutions for multiple reasons, including the following:
- Compromised Email Address: The attacker uses a legitimate email address from a compromised account, bypassing basic email verification checks and adding perceived authenticity.
- Legitimate-Looking Links: The email includes multiple links to known domains (such as Facebook, Twitter/X, and Linkedin), which can pass through link verification checks.
- Absence of Malicious Attachments: By not including suspicious attachments, the email avoids detection by antivirus and anti-malware systems focused on attachment-based threats.
How Did Abnormal Detect This Attack?
This attack was detected using AI and ML by analyzing various factors, including the following:
- Content Analysis: The email’s urgent message about a voicemail is flagged by Abnormal’s content analysis algorithms as a common phishing tactic.
- Suspicious Link Analysis: The presence of a link leading to a suspicious domain is scrutinized by Abnormal’s systems, triggering deeper analysis for possible malicious intent.
- Large Recipient Group: The email was sent to a large group of people, as indicated by the empty "To" field, raising further suspicion during Abnormal’s analysis.
By recognizing established normal behavior and detecting these abnormal indicators, a modern email security solution has the ability to prevent this attack from reaching inboxes.
Please note the exact detection mechanism from Abnormal Security's system might include proprietary techniques and methodologies not disclosed here.