Threat Actor Poses as Newrez and Uses Spoofed Email to Send Fake Loan Payoff Request in Phishing Attack
In this phishing attack, cybercriminals impersonate Newrez, a mortgage lender and servicer, by sending an email from a spoofed email address. The email claims that a secure message regarding a loan payoff has been sent to the recipient. To access the message, the recipient is urged to create an account using the provided link However, should the target click the button labeled “Access Message”, they will be redirected to a page that appears to be a Microsoft login portal but is actually a malicious site designed to steal sensitive information. To further enhance the appearance of legitimacy, the attacker includes a Cloudflare Turnstile (a CAPTCHA alternative) as part of the attack. The email mimics legitimate Newrez communications, employing professional language and formatting to enhance its authenticity. This phishing attempt leverages the trust recipients place in secure document-sharing processes, which are commonly used in financial transactions. The realistic appearance of the email, coupled with the importance of mortgage-related communications, increases the likelihood that recipients will be manipulated into divulging private information.
Older, legacy email security tools struggle to accurately identify this email as an attack because it originates from a spoofed email address, does not include any malicious attachments, and is sent from a sender unknown to the recipient. Modern, AI-powered email security solutions detect links to suspicious domains, flag that the sender domain does not match any domains in the message, and detect common language utilized in identity theft to correctly identify the email as an attack.
Phishing attack uses Newrez branding to trick recipient into revealing sensitive information
Cloudflare Turnstile verification test incorporated into attack to increase appearance of legitimacy
Malicious portal mimics a Microsoft login portal to steal sensitive information
How Does This Attack Bypass Email Defenses?
This email attack bypasses traditional security solutions for multiple reasons, including the following:
- Spoofed Email Address: The attacker spoofs a legitimate-sounding email address, bypassing basic email verification checks and adding perceived authenticity.
- Lack of Attachments: By not including any attachments, the email avoids detection by antivirus and anti-malware systems focused on attachment-based threats.
- Unknown Sender: The email comes from a sender the recipient's email system has not interacted with before. Legacy security tools often struggle to assess the risk of new senders accurately.
How Did Abnormal Detect This Attack?
This attack was detected using AI and ML by analyzing various factors, including the following:
- Suspicious Link Analysis: Abnormal's systems scrutinize the presence of links leading to suspicious domains, triggering deeper analysis for possible malicious intent.
- Unusual Sending Behavior: The sender domain does not match any of the domains found in the body links, raising suspicion.
- Personal Information Theft: The email contains language attempting to steal personal information, a common tactic used by attackers to deceive recipients into providing sensitive data.
By recognizing established normal behavior and detecting these abnormal indicators, a modern email security solution has the ability to prevent this attack from reaching inboxes.
Please note the exact detection mechanism from Abnormal Security's system might include proprietary techniques and methodologies not disclosed here.