In this attack, the email contained a brief statement, asking the recipient to refer to a shared document that contained information about taxes, based on context in the email subject. Links to the “document” were masked to look like a PDF attachment that could be viewed as HTML or scanned. Each of the links in the message were destined for the same URL. The email was sent from a freely-available Juno account and all of the email recipients were BCC’d to hide all of the targets of the attack.

Status Bar Dots
Tax Documents Phishing Email

Had the recipient clicked on one of the links in the email, they would have been directed to a phishing site that posed as an initial authentication landing page with branding from multiple file sharing services, including Dropbox and Docusign. The phishing page listed various webmail services, including Office365, AOL, Outlook, and Yahoo, and indicated that in order to view the document, the recipient would need to select their email provider and login with their email address.

Status Bar Dots
Tax Documents Phishing Page

How Does This Attack Bypass Email Defenses?

The URL found in the email is one that has not been previously detected as malicious, allowing it to bypass traditional tools that rely on known bad indicators. The email was sent from a Juno account, a free webmail service available to anyone. As a result, there is no bad domain reputation for traditional security providers to discover, and the email passes all authentication checks for SPF, DKIM, and DMARC. 

How Can This Attack Be Detected?

A behavioral system is required to stop attacks that use never-before-seen URLs. By understanding the intent of the link, alongside other signals acquired through content analysis, a cloud email security platform understands when an email may be malicious. All of the recipients receiving the email were BCC’d, a common pattern when attackers send similar attacks to many recipients.

What are the Risks of This Attack?

The theme of this email–the sharing of tax documents at the beginning of tax season–may result in a higher success rate since it will likely be of greater interest to targeted employees. If an employee entered their email credentials into the phishing page, attackers would have full access to their email account, which they can then use to look for sensitive information or as a launch point for other attacks on the employee’s coworkers, customers, or vendors. 

Analysis Overview

Vector

Link-based

Goal

Credential Theft

Tactic

Fake Attachment
Free Webmail Account
BCC Recipient List

Theme

Fake Document
Tax Matter

Impersonated Brands

Office365
DocuSign
Dropbox

See How Abnormal Stops Emerging Attacks

See a Demo