Seized Funds Phishing Attempt via JP Morgan Chase & Co Impersonation
Using a spoofed email address, this attack features an impersonation of JP Morgan & Chase Co, informing the recipient of seized funds related to the International Monetary Fund. The goal of the attack is to steal account credentials by having the recipient reply with their account number and other verifying information. The attacker references multiple major banking and global financial institutions in an attempt to convey authority and uses conversational language, without the use of links or attachments, to bypass legacy SEGs.
Older security tools lack the ability to flag this attack because of limited analysis capabilities of email content, outdated signatures and heuristics, and inefficient handling of unknown senders and domains. Advanced, AI-powered email solutions identify anomalies in the email and correctly label it as an attack due to its unknown Fully Qualified Domain Name, an unknown sender, and discrepancies between the sender’s display name/domain name with the signature of the email.
Why Does This Attack Bypass Email Defenses?
This email attack bypasses traditional security solutions for multiple reasons, including the following:
- Limited analysis of email content: Legacy defenses may not efficiently analyze email content for potential red flags, such as deceptive language or obfuscation techniques, allowing phishing emails to pass through.
- Outdated signatures and heuristics: As phishing techniques evolve over time, legacy defenses might not receive regular updates or might rely on old heuristics, leading to a failure in detecting new threats. Attackers constantly evolve their techniques to bypass security measures, and employ tactics that exploit vulnerabilities that are not accounted for in older security systems.
- Inefficient handling of unknown senders and domains: Legacy email defenses may not properly evaluate unknown sender domains, allowing phishing emails from unfamiliar sources to go undetected.
How Can This Attack Be Detected?
This attack was detected using AI and ML by analyzing various factors, including the following:
- Unknown FQDN: The attacker’s FQDN was unknown, and the company had never sent messages to that domain before, suggesting possible impersonation.
- Unknown Sender: The email sender was unknown, which is an additional indication that the message might have malicious intent.
- Sender Discrepancies: There are inconsistencies in the sender's email address and domain compared to the claimed company.
By understanding established normal behavior and detecting these abnormal indicators, a modern email security solution prevents this attack from reaching inboxes.
Please note the exact detection mechanism from Abnormal Security's system might include proprietary techniques and methodologies not disclosed here.