Attack Target Summary
Attack Overview
Step 1: Email
The attacker sends a well-crafted email impersonating a high-ranking executive such as the CEO or CFO. The message appears urgent but contains no links or attachments, which helps it slip past traditional filters.
- Email passes SPF, DKIM, and DMARC checks.
- Sender display name mimics executive identity.
- Language is professional, urgent, and financially themed.
Step 2: Financial Information Request
The goal of the message is to obtain sensitive payment details—such as outstanding invoices, customer contact info, or internal records—under the guise of preparing for or following up on a financial transaction.
- Requests payment records or invoice status.
- Exploits authority to encourage quick response.
- Often seeks further engagement through follow-up replies.
Step 3: Dropbox + Credential Harvesting Page
Step 4: Final Destination (Spoofed Microsoft Login)
How Does This Attack Bypass Email Defenses?
This email attack bypasses traditional security solutions for several reasons, including:
- Sent from a verified domain passing all sender checks.
- Uses executive impersonation with no links or attachments.
- Benign appearance avoids triggering typical detection rules.
How Did Abnormal Detect This Attack?
This attack was detected using AI and ML by analyzing various factors, including:
- Deviations from known executive communication patterns.
- NLP-detected financial urgency and request tone.
- Anomalous targeting of accounts payable roles.
By recognizing established normal behavior and detecting these abnormal indicators, a modern email security solution has the ability to prevent this attack from reaching inboxes.
Please note the exact detection mechanism from Abnormal Security's system might include proprietary techniques and methodologies not disclosed here.
