Back to All Attack Library
Phishing Attack Uses Compromised Account to Send Text-Free Email with Link to PDF Hosted on SharePoint
Threat actor sends fraudulent notification of online fax containing purchase order for review to compel target to view PDF containing phishing link.
Attack Target Summary
- Type: Credential Phishing
- Industry: Facilities Management
- Recipient: Service Delivery Manager
- Attack Vector: Link-based
Attack Overview
Step 1: Email (Fake Purchase Order from Vendor Sent via Online Fax Service)
- Sent from a legitimate compromised account
- Body of email is embedded image, not text
- Image contains link to SharePoint site
Step 2: Initial Link Destination
- PDF hosted on legitimate SharePoint site
- File contains link purportedly to view shared document
- “Open Document” button linked to spoofed Microsoft portal
Step 3: Final Destination
- Phishing page designed to mimic Microsoft login screen
- Any information entered will be stolen by attacker
How Does This Attack Bypass Email Defenses?
This email attack bypasses traditional security solutions for several reasons, including:
- Compromised Email: Attacker uses a legitimate, compromised account.
- No Malicious Attachments: Images contain links leading to seemingly harmless PDF.
- Legitimate Links: PDF was hosted on a legitimate SharePoint site.
How Did Abnormal Detect This Attack?
This attack was detected using AI and ML by analyzing various factors, including:
- Unknown Sender: Recipient has had no previous correspondence with sender.
- Suspicious Link Analysis: Abnormal detects suspicious links in the email body.
- Unusual Sender Domain: Sender domain doesn’t match any domains found in body links.
By recognizing established normal behavior and detecting these abnormal indicators, a modern email security solution has the ability to prevent this attack from reaching inboxes.
Please note the exact detection mechanism from Abnormal Security's system might include proprietary techniques and methodologies not disclosed here.