In this attack, the attacker hijacked an old email thread to send an executive a link to a likely malicious file. In the hijacked conversation, the recipient and another employee discussed the status of invoices from 2019 and 2020. The intention is for the recipient to erroneously assume that the file referenced in the attack is just another invoice based on the context of the other files shared in the thread.

Because the attack used a hijacked thread, it’s likely that one of the employees’ email accounts had been previously compromised. A password is provided in the email, which is required to “access” the file, but in reality, using a password-protected file is meant to bypass malware detection.

The attacker uses the executive’s name for the email display name, but the email address used appears to be an unrelated external compromised account. The display name makes the email appear as if the recipient has sent it to themselves, despite the most recent email containing the file link being more logically understood as sent from the other employee.

Status Bar Dots
Hijacked Email Thread

Why It Bypassed Traditional Security

By using a legitimate compromised email account, the attacker eliminates the potential for a traditional SEG to identify a malicious email address or domain and block it. The URL found in the email is one that has not been previously detected as malicious, allowing it to bypass traditional tools that rely on known bad indicators.

Detecting the Attack

Integration with the Microsoft API allows an email security solution to use ActiveDirectory to process the organizational chart and understand VIP emails to know when an executive is being impersonated via display name deception.

Risk to Organization

If the target clicks on the link in the email, malware would be downloaded to their computer. Once the malware is installed, attackers can perform a variety of nefarious actions, including escalating it into a ransomware attack. Incorporating legitimate content such as the hijacked email thread into a malicious email makes it more likely that it will succeed if it reaches its intended recipient.

Analysis Overview

Vector

Link-based

Goal

Malware Delivery

Tactic

Hijacked Email Thread
External Compromised Account
Spoofed Display Name

Theme

Fake Invoice

Impersonated Party

Employee - Executive

See How Abnormal Stops Emerging Attacks

See a Demo