In this credential phishing attack, the threat actor compromises the email account of a faculty member at a Polish university and emails the Associate Vice President of a university in Ohio. The message informs the target of an Employee Benefits Program “designed to provide financial assistance” to employees that meet the designated criteria and invites the recipient to use the provided link to apply to receive the $500. However, if the target clicks the link, they are redirected to a phishing page designed to steal sensitive information and any details entered into the page can then be used by the threat actor to launch additional attacks.

Older, legacy email security tools struggle to properly identify this email as an attack because it is sent from a legitimate account that has been compromised, leverages social engineering, and contains no malicious attachments. Modern, AI-powered email security solutions analyze the content and links and detect the unknown sender to correctly mark this email as an attack.

Status Bar Dots
AI Compromised Faculty Account University VIP Email
Status Bar Dots
AI Compromised Faculty Account University VIP Portal

The link in the email directs the target to a phishing page designed to look like an official login portal.

How Does This Attack Bypass Email Defenses?

This email attack bypasses traditional security solutions for multiple reasons, including the following:

  • Compromised Legitimate Account: The attacker used a compromised email account from a legitimate educational institution, which can easily bypass legacy security tools that primarily rely on blacklists or reputation-based filtering.
  • Sophisticated Social Engineering: The email content is carefully crafted with a believable narrative about an employee benefit program, making it less likely to be flagged by simple keyword-based spam filters that legacy tools might use.
  • Lack of Malicious Attachments: The absence of any attachments reduces the likelihood of detection by traditional antivirus or malware scanning tools, which often focus on analyzing attachments for malicious payloads.

How Did Abnormal Detect This Attack?

This attack was detected using AI and ML by analyzing various factors, including the following:

  • Content Analysis: Abnormal's advanced content analysis capabilities can understand the intent behind an email, detecting social engineering tactics and subtle cues that indicate a phishing attempt, beyond mere keyword matching.
  • Link Analysis: Abnormal performs deep contextual analysis of links in emails, assessing not just the domain's reputation but also the context in which it is used.
  • Unknown Sender Analysis: Abnormal analyzes the sender's behavior, including the fact that this is the first time they have sent an email to the recipient, and identifies this as a potential sign of a phishing attempt.

By recognizing established normal behavior and detecting these abnormal indicators, a modern email security solution has the ability to prevent this attack from reaching inboxes.

Please note the exact detection mechanism from Abnormal Security's system might include proprietary techniques and methodologies not disclosed here.

Analysis Overview

Vector

Link-based

Goal

Credential Theft

Tactic

External Compromised Account
Masked Phishing Link

Theme

Employee Benefits

Impersonated Party

External Party - Other

AI Generated

Likely

See How Abnormal Stops Emerging Attacks

See a Demo