While most socially-engineered attacks contain only text, there is a trend where attackers are sending images instead, likely to bypass security filters. This malicious email contains an embedded image of a supposed Microsoft secure fax sent via Adobe Acrobat Sign. The email is targeting an insurance company, who likely sees many similar legitimate emails a day. 

Status Bar Dots
Adobe Image1

Upon clicking the image, the recipient is taken to a phishing webpage hosted on Dropbox. The phishing website requires the target to sign in to view the secure fax, encouraging the curious to enter their credentials into the phishing page.

Status Bar Dots
Adobe Image2

Interestingly, the email appears to come from the same email address as the recipient—a tactic attackers use to add legitimacy to their emails. Additional emails are included as BCC recipients, a common tactic in phishing campaigns when threat actors wish to target multiple people. 

Why It Bypassed Traditional Security

Attackers often use images to bypass traditional security measures like signature filtering. The link included here is hosted on legitimate Dropbox infrastructure to add legitimacy, given that the service is used for normal business purposes and thus, security tools cannot add the domain to a global blocklist. Further, the attacker appears to have compromised a legitimate account from this vendor, so the SPF, DKIM, and DMARC authentication bypasses header checks. 

Detecting the Attack

Since links to Dropbox are typically benign and occur as a normal course of business, a behavioral system is needed to stop these types of attacks. Organizations need tools that can identify text in images to understand tone and requests, as well one that can understand context in the sender and recipient patterns. In this case, the sending and receiving email addresses appear to be identical, which is an indicator that this message is potentially malicious.

Risk to Organization

Organization credentials, whether for Microsoft or Adobe, could expose documents and other sensitive data to their attackers. This offers many different opportunities for impersonation and fraudulent use of stolen contracts, certificates, or sensitive financial information. Should the target enter their Microsoft credentials instead, given that the email impersonated both brands, the attackers would have full access to the email account from which they could launch additional attacks or move laterally across the organization.

Analysis Overview

Vector

Link-based

Goal

Credential Theft

Tactic

Self-Addressed Spoofed Email

Impersonated Party

Brand