In this phishing attack, an email claiming to be a notification of an amendment to a real estate document was sent to an attorney at a multinational law firm via the real estate transaction management software dotloop. The email prompted the recipient to click on a link to view this document.

Status Bar Dots
UA Real Estate Software Document Notification Email

However, the reply-to email address was not the expected reply-to email address for messages sent through the dotloop portal, and the email content was missing information that would normally be included in an email sent via the portal.

Additionally, had the recipient clicked on the View Document button, they would’ve been redirected to a URL that began with links.engage.ticketmaster[.]com and included a tinyurl[.]com alias—two indicators that the actual destination was a malicious website.

How Does This Attack Bypass Email Defenses?

The email was sent from an address that was masked to look like a legitimate sender. In the email, the sender requested the recipient to open a link to view a document, but clicking on the link would have brought the recipient to a phishing page designed to steal her login credentials.

How Can This Attack Be Detected?

Using text understanding techniques, email security solutions can analyze the content of the email for suspicious phrases or links. Additionally, anomaly detection can identify if the sender is using a fake address, and if the recipient has no prior history of receiving messages from this sender.

What are the Risks of This Attack?

If the recipient had clicked on the link in the email and entered her login credentials, she would have put herself at risk of having her sensitive information stolen. She could have inadvertently allowed unauthorized access to her email account, risking the loss of confidential information, including client contact lists, financial information, or attorney-client information.

Analysis Overview

Vector

Text-based

Goal

Credential Theft

Tactic

Hidden Sender Address

Theme

Real Estate Transaction

See How Abnormal Stops Emerging Attacks

See a Demo