In this attack, the initial email posed as an internal announcement from the company’s human resources department highlighting a recent update to the corporate employee handbook and guidelines. The message stated that all employees needed to acknowledge they have reviewed the new guidelines by the end of the week. The email used peer comparison to drive the recipient into action, stating, “As of this morning, approximately 75% of our employees have acknowledged and we are looking to get all records updated.” 

A link to the “handbook” was included in the email. Because the link was masked behind text, the destination URL was only visible by hovering over the link. The email was sent from an external Gmail account and the sender’s name was displayed as “Human Resources” rather than an employee’s name, which made the message look like an official, automated HR email.

Status Bar Dots
Handbook Credential Phishing Email

Had the recipient opened the attached file, they would have been directed to a phishing page that indicated they needed to enter their name and email credentials in order to verify their identity and download the updated employee handbook. The phishing page was hosted on a domain likely registered by the attacker, which mimicked the domain of a healthcare company unrelated to the targeted organization.

Status Bar Dots
Handbook Credential Phishing Page

How Does This Attack Bypass Email Defenses?

The URL found in the email is one that has not been previously detected as malicious, allowing it to bypass traditional tools that rely on known bad indicators. This email was sent from a Gmail account, a free webmail service available to anyone. As a result, there is no bad domain reputation for traditional security providers to discover, and the email passes all authentication checks for SPF, DKIM, and DMARC.  

How Can This Attack Be Detected?

A behavioral system is required to stop attacks that use never-before-seen URLs. By understanding the intent of the link, alongside other signals acquired through content analysis, a cloud email security platform understands when an email may be malicious. The sender’s display name resembled a human resources account; however, the email address had never been used to communicate with employees at the company.

What are the Risks of This Attack?

The theme of this email–a human resources announcement–may result in a higher success rate since it will likely be of greater interest to targeted employees. The email also included a direct request for the recipient to review and sign the attached document. Direct requests, rather than passive comments, are generally more effective to get a target to perform a desired action. Because the phishing link was disguised to look like a legitimate internal site, an employee that received the email may click on the link without recognizing it is malicious. If an employee entered credentials into the phishing page, attackers would have full access to their email account, which they can then use to look for sensitive information or as a launch point for other attacks on the employee’s coworkers, customers, or vendors.

Analysis Overview

Vector

Link-based

Goal

Credential Theft

Tactic

Free Webmail Account
Masked Phishing Link

Theme

Fake Document
Human Resources Announcement

Impersonated Party

Internal System

See How Abnormal Stops Emerging Attacks

See a Demo