Threat Actor Uses Prezi to Distribute Malware Disguised as Shared Tax Documents
In this sophisticated malware attack, cybercriminals impersonate an employee at a Japanese construction company and send an email to a client services team member at an insurance agency via a spoofed address. The email, which uses the subject line "Re: Uploaded 2023 Tax Documents," claims that the sender has uploaded important tax documents to a secure link and requests the recipient review them. The attacker also includes a follow-up question regarding pricing to increase the appearance of authenticity further. The email contains a link to a Prezi presentation, which displays a preview of a tax document purportedly sent through SharePoint and includes instructions on how to click a button labeled "Access Documents" to view the files. However, clicking the button leads to a malicious website, "https://helenlink.web[.]app/Helen-Tax-Document.zip," that is designed to install malware on the recipient's device. The attackers leverage the trusted context of tax document review and familiar document-sharing platforms like SharePoint and Prezi to create a sense of legitimacy. The goal of this tactic is to manipulate the recipient into clicking the link without fully scrutinizing the email's authenticity, ultimately compromising their account.
Older, legacy email security tools struggle to accurately identify this email as an attack because it originates from a spoofed email address, employs legitimate links, and lacks malicious attachments. Modern, AI-powered email security solutions recognize that the sender is unknown to the recipient, detect suspicious links in the message, and recognize the inconsistency between the sender domain and the reply-to address to correctly flag this email as an attack.
Malicious email disguised as notification regarding shared tax documents
Embedded email link leads to document hosted on Prezi containing malware
How Does This Attack Bypass Email Defenses?
This email attack bypasses traditional security solutions for multiple reasons, including the following:
- Spoofed Email Address: The attacker spoofs a legitimate email address, bypassing basic email verification checks and adding perceived authenticity.
- Legitimate Links: The email includes links to the well-known domain "prezi[.]com", which can pass through link verification checks.
- Absence of Malicious Attachments: By using links rather than attachments, the email avoids detection by antivirus and anti-malware systems focused on attachment-based threats.
How Did Abnormal Detect This Attack?
This attack was detected using AI and ML by analyzing various factors, including the following:
- Unknown Sender Consideration: The email is recognized as coming from an unknown sender who has never communicated with the recipient. Abnormal’s platform maintains a communication history and quickly flags deviations from established patterns of sender-recipient interactions.
- Suspicious Link Analysis: The presence of links that lead to unusual domains is scrutinized by Abnormal’s systems, triggering deeper analysis for possible malicious intent.
- Reply-to Address Mismatch: The email includes a reply-to address that differs from the sender's address, further raising suspicion and prompting Abnormal's systems to analyze the email more deeply.
By recognizing established normal behavior and detecting these abnormal indicators, a modern email security solution has the ability to prevent this attack from reaching inboxes.
Please note the exact detection mechanism from Abnormal Security's system might include proprietary techniques and methodologies not disclosed here.