Vendor Impersonator Uses Cleverly-Designed Fake Microsoft Excel Spreadsheet to Attempt Credential Theft
This credential phishing attack features an impersonation of a managing director at an Indian-based manufacturing company. The threat actor first spoofs the legitimate domain for the company, “successmachinetool[.]com,” and then sends a message containing official-sounding language regarding pending wire transfers and a request to confirm the financial details included in the linked document. However, the referenced document is a cleverly designed fake Microsoft Excel spreadsheet that prompts the target to enter a password to view it. Should the recipient enter any sensitive information, it will be stolen by the attacker.
Older, legacy email security tools have difficulty properly identifying this email as an attack because it spoofs a legitimate sending domain, contains no attachments, and uses an embedded link to an external site. Modern, AI-powered email security solutions flag the unknown sender, analyze the links, and detect the mismatched “Return-Path” domain to mark this email as an attack correctly.
The embedded link in the email leads to an authentic-looking Microsoft Excel spreadsheet.
How Does This Attack Bypass Email Defenses?
This email attack bypasses traditional security solutions for multiple reasons, including the following:
- Sophisticated Spoofing: The email appears to be from a legitimate source, "selvam@successmachinetool[.]com," which could bypass legacy security tools primarily relying on blocklists of known malicious senders.
- Lack of Attachments: The email does not contain any attachments, often a focus of legacy security tools as they can contain malicious payloads. The absence of attachments might make the email seem less suspicious to these systems.
- Embedded Links: The email contains links to external sites. While some legacy systems might check these links against a blocklist, they might not be able to detect malicious sites that are newly created or not yet known to be malicious.
How Did Abnormal Detect This Attack?
This attack was detected using AI and ML by analyzing various factors, including the following:
- Unknown Sender: The email is from an unknown sender to whom the target has never sent emails in the past. Abnormal flags this as suspicious, as it's unusual for a company to receive emails from completely unknown senders.
- Suspicious Links: The email contains links that lead to external sites. Abnormal analyzes these links and determines whether they lead to malicious sites, even if they are not on known blocklists.
- Mismatched 'Return-Path' Domain: The 'Return-Path' domain of the email does not match the sender's domain. This discrepancy can signify email spoofing, a common tactic used in phishing attacks.
By recognizing established normal behavior and detecting these abnormal indicators, a modern email security solution has the ability to prevent this attack from reaching inboxes.
Please note the exact detection mechanism from Abnormal Security's system might include proprietary techniques and methodologies not disclosed here.