Threat Actor Uses Compromised Email to Target Internal Employees in Credential Phishing Attempt
In this credential phishing attack, the threat actor compromises the email account of an employee at a Connecticut-based education organization and sends the target a notification regarding a shared document. Because the account is hosted on a legitimate domain that was registered more than 20 years ago, any messages sent using this address will likely bypass security tools that only scan emails for suspicious-looking domains or domains with no known reputation. Furthermore, since the attacker is targeting employees at the same organization as the individual being impersonated, it increases the likelihood of the recipient believing the email is genuine. The email states that a document titled “[School District Name] - Q2 PROT/FUNDING DOC 2024” is ready for review and provides a button labeled “View Shared Document.” If the target clicks on the link to view the document, they are redirected to a fake Microsoft login page designed to steal any login information the recipient provides. This page is hosted on Webflow, a legitimate website builder tool that anyone can use for free when staging work-in-progress websites.
Older, legacy email security tools struggle to properly identify this email as an attack because it is sent from an internal email address, employs social engineering, and lacks malicious attachments. Modern, AI-powered email security solutions detect the compromised account, analyze the links, and examine the recipient field anomalies to mark this email as an attack correctly.
The attacker creates a spoofed Microsoft login page hoping the target will enter their credentials.
How Does This Attack Bypass Email Defenses?
This email attack bypasses traditional security solutions for multiple reasons, including the following:
- Internal Communication: The email is an internal-to-internal communication, which legacy systems might inherently trust more than external emails, reducing the scrutiny applied to it.
- Social Engineering: The email employs social engineering by pretending to share a document for review, which is a common and legitimate activity in organizational settings. Legacy tools lack the functionality to analyze the context deeply enough to recognize the malicious intent.
- Lack of Malicious Attachments: Since the email does not contain any attachments, but rather a malicious link, it bypasses traditional security measures that scan for known malware signatures in attachments.
How Did Abnormal Detect This Attack?
This attack was detected using AI and ML by analyzing various factors, including the following:
- Compromised Account Detection: Abnormal has mechanisms to detect signs of account compromise, such as sudden changes in email behavior, which would indicate that the account is being used for phishing.
- Link Analysis: Abnormal analyzes links contained in emails, including the reputation of the linked domain, the page content, and any redirections. The malicious link to a fake Microsoft login page would have been scrutinized and identified as a threat.
- Recipient Field Anomalies: The email contains no email addresses in the "To" field. This is unusual and can signal a mass phishing attack, which Abnormal's AI can detect.
By recognizing established normal behavior and detecting these abnormal indicators, a modern email security solution has the ability to prevent this attack from reaching inboxes.
Please note the exact detection mechanism from Abnormal Security's system might include proprietary techniques and methodologies not disclosed here.