Vendor Impersonator Uses Fake Invoice Notification In Credential Theft Attempt
This dual credential phishing attack and fake billing scam features an impersonation of Hazmat International—a real, Texas-based hazardous spill response and environmental services company. The attacker compromises a legitimate domain, “hazmatinternational[.]com,” and impersonates one of its employees, even using the employee’s email signature. The message contains minimal content beyond an invitation to view “Invoice #231108381-2” using the provided link. This leads to a fake landing page that looks like a portal where the target can download the shared document. However, if the target clicks the “Open Your Files Here Now” button, they will likely be taken to a credential phishing website where sensitive information, including payment details, is at risk of being stolen. Since the attacker has compromised an actual Hazmat International domain, if the target expects an invoice, there is no discernible way for the target to know this is an attack.
Older, legacy email security tools struggle to accurately identify this email as an attack because it comes from an established domain and contains no known malicious links or attachments. Modern, AI-powered email security solutions detect the unknown domain, lack of recipient information, and suspicious link to flag this email as an attack correctly.
This fake landing page includes a malicious link to a phishing website.
How Does This Attack Bypass Email Defenses?
This email attack bypasses traditional security solutions for multiple reasons, including the following:
- Sender Reputation: The email was sent from a domain, “hazmatinternational[.]com,” that has been registered for nine years. Legacy security tools often trust older domains, which can allow malicious emails from these domains to bypass security checks.
- Lack of Known Malicious Links: The email contains links, but none of them are known to be malicious. Legacy security tools often rely on databases of known malicious links, so they may not flag an email as suspicious if it doesn't contain any links from these databases.
- No Known Malicious Attachments: The email contains an attachment, but it's a PNG image, which is a common and typically harmless file type. Legacy security tools often look for specific types of malicious attachments, such as executable files or documents with macros, so they may not flag an email as suspicious if it only contains an image.
How Did Abnormal Detect This Attack?
This attack was detected using AI and ML by analyzing various factors, including the following:
- Unknown Domain: The domain used to send this email is an unknown domain that the company has never received messages from in the past. Abnormal detects this as a potential sign of a malicious attack.
- Lack of Recipient Information: The email does not contain any email addresses in the “To” field. This is unusual and can be a sign of a mass phishing attack.
- Suspicious Links in the Email Body: Abnormal analyzes every link in an email and determines if they are potentially malicious, even if they are not known to be malicious.
By recognizing established normal behavior and detecting these abnormal indicators, a modern email security solution has the ability to prevent this attack from reaching inboxes.
Please note the exact detection mechanism from Abnormal Security's system might include proprietary techniques and methodologies not disclosed here.