This credential phishing attack features an impersonation of Trust Wallet, a cryptocurrency wallet. The attacker begins by spoofing a legitimate domain, “unosolucoes[.]com[.]br”, and changing the sender name to “Trust Wallet.” These tactics increase the appearance of legitimacy and allow the threat actor to bypass simple security checks only triggered by known malicious domains. 

Then, using social engineering techniques, the attacker creates a sense of urgency by stating that the target’s wallet has not been verified and will, therefore, be suspended soon. The recipient must complete the verification process using the provided link to keep the wallet active. However, the link likely leads to a phishing page where sensitive information is at risk. 

Older, legacy security tools cannot correctly flag this email as an attack because of the spoofed email address, lack of attachments, and the social engineering techniques utilized. Modern, AI-powered email security solutions detect the unknown sender in addition to analyzing the links and content to identify this email as an attack accurately.

Status Bar Dots
Nov17 Screenshot

How Does This Attack Bypass Email Defenses?

This email attack bypasses traditional security solutions for multiple reasons, including the following:

  • Spoofed Email Address: The email appears to be sent from a legitimate email address, “renan.silva@unosolucoes[.]com[.]br,” which could bypass security checks that don’t flag an email if it originates from a legitimate source.
  • Lack of Attachments: The email does not contain any attachments, which are often a red flag for malicious content. This could allow the email to bypass security checks that focus on attachments.
  • Urgent Action Required: The email uses social engineering techniques, such as creating a sense of urgency, to trick the recipient into clicking the link. This common tactic is used in phishing attacks, and legacy security tools may not detect it.

How Did Abnormal Detect This Attack?

This attack was detected using AI and ML by analyzing various factors, including the following:

  • Unknown Sender Email: The email address used to send this message is an unknown email, which this company has never corresponded with in the past. This is a strong signal for Abnormal to mark the email as suspicious.
  • Link Analysis: Abnormal analyzes the links in the email body and flags the email as a potential threat if these links lead to malicious or unrecognized sites.
  • Content Analysis: Abnormal analyzes the content of the email for signs of phishing or other malicious intent. In this case, the urgent request for action and the threat of account suspension are common tactics used in phishing attacks.

By recognizing established normal behavior and detecting these abnormal indicators, a modern email security solution has the ability to prevent this attack from reaching inboxes.

Please note the exact detection mechanism from Abnormal Security's system might include proprietary techniques and methodologies not disclosed here.

Analysis Overview

Vector

Link-based

Goal

Credential Theft

Tactic

Spoofed Email Address
Spoofed Display Name
Masked Phishing Link

Theme

Account Verification
Cryptocurrency

Impersonated Party

Brand

Impersonated Brands

Trust Wallet

See How Abnormal Stops Emerging Attacks

See a Demo