Phishing Email: Victims receive an email stating that a document has been shared via PandaDoc.
The PandaDoc Bait-and-Switch Scam
Empty Docs, Real Threats: Using PandaDoc & Dropbox to Bypass SEGs
What is the attack?
Decoy Document: When opened, the PandaDoc link leads to a blank or non-functional document, acting as a decoy.
Social Engineering Trick: The email instructs victims that if the document does not render properly, they should copy and paste a provided Dropbox link instead.
Why did it get through?
Verified Source: Email sent from a domain passing sender authentication checks.
Legitimate Hosting: The document was hosted on legitimate PandaDoc and Dropbox site, lending it an air of legitimacy.
URL Crawling/Analysis Protection: The added Captcha functionality limits automated link crawling and URL analysis features, increasing the difficulty for automated detection.
What is required to solve for this attack?
Behavioral Analysis: Abnormal’s Behavioral AI flags never-before-seen senders, unusual email content, and URLs as anomalies that enable the detection of novel attacks.
Defense-in-depth: This pairs well for defense in depth with the Cloud Email Platform (M365’s) Threat Intelligence layer.