Threat Actor Uses Spoofed Email Address and Malicious QR Code to Attempt Credential Theft
In this credential phishing attack, the threat actor uses a spoofed email address to impersonate an internal HR department and send the target a fraudulent shared document notification. The email claims to be in regard to 2024 employee benefit plans and requests that the recipient scan the QR code embedded in the attached PDF to review and sign the shared document. To increase the appearance of legitimacy, the attacker includes the name of the target’s employer in the sender display name as well as the name of the fraudulent file. Additionally, to improve the likelihood of bypassing legacy security filters, the email body contains only a stolen disclaimer from a private banking company. The content intended to compel the target to engage is contained within the PDF attachment. Should the target scan the QR code in the PDF, they will be redirected to a page designed to steal sensitive information.
Older, legacy email security tools struggle to accurately identify this email as an attack because it uses a spoofed domain, utilizes a QR code to bypass traditional scanning mechanisms, and contains an attachment that appears legitimate. Modern, AI-powered email security solutions recognize the address is unknown to the recipient, detect suspicious attachments in the message, and identify the spoofed sender address to correctly flag this email as an attack.
Malicious email impersonating internal HR department
PDF attachment disguised as file-sharing notification with malicious QR code
How Does This Attack Bypass Email Defenses?
This email attack bypasses traditional security solutions for multiple reasons, including the following:
- Spoofed Email Address: The attacker uses a spoofed email address "seminars@wealthusa[.]com", adding a layer of perceived authenticity and bypassing basic email verification checks.
- QR Code Tactic: The inclusion of a QR code instead of a direct link can bypass traditional link-scanning mechanisms used by legacy security tools.
- Legitimate-Looking Attachment: Because the attachment is a PDF, a common and trusted file format in corporate environments, it helps it evade detection by email filters focused on malicious links or executable files.
How Did Abnormal Detect This Attack?
- Unknown Sender Consideration: The email is recognized as coming from an unknown sender who has never communicated with the recipient. Abnormal’s platform maintains a communication history and quickly flags deviations from established patterns of sender-recipient interactions.
- Suspicious Attachment and QR Code: The presence of a PDF attachment containing a QR code prompts Abnormal’s systems to scrutinize and flag the email for potential malicious activities, as this is not a common method used by legitimate internal communications.
- Spoof Detection: The email is identified as being from a spoofed address, which combined with the other factors, indicates high suspicion and triggers deeper scrutiny by Abnormal's systems.
By recognizing established normal behavior and detecting these abnormal indicators, a modern email security solution has the ability to prevent this attack from reaching inboxes.
Please note the exact detection mechanism from Abnormal Security's system might include proprietary techniques and methodologies not disclosed here.