This fake billing scam features an impersonation of Salesforce. The attacker, impersonating a CPA named Brian Anderson, utilizes a “saelsforrce[.]com” domain that, if not closely inspected, might be mistaken for official Salesforce communications.
The email references an outstanding invoice of $36,000 and is written with official-sounding language, similar to authentic communications between vendors and customers. The recipient engages with the attacker and recommends forwarding the invoice to another employee for further processing.
Since the attacker has gained credibility with the recipient, they contact the second employee using the same fake Salesforce domain.
Older, legacy email security tools have difficulty correctly flagging this email as an attack because of the use of a spoofed email address, an inability to detect the age of the domain, and the lack of malicious links and attachments. Modern, AI-powered security tools accurately identify this email as an attack because they analyze the age of the domain and detect spoofing and social engineering techniques.
The recipient engages with the attacker and recommends forwarding the request along to another employee.
Since the attacker has gained the recipient’s trust, they follow along, and forward the invoice payment request to a second employee using the same look-alike domain.
How Does This Attack Bypass Email Defenses?
This email attack bypasses traditional security solutions for multiple reasons, including the following:
- Spoofed Email Address: The email appears to be from "brian@saelsforrce[.]com", which is a slight misspelling of a legitimate domain “salesforce[.]com.” This could easily bypass legacy security tools that only check for exact matches with known malicious domains.
- New Domain: The sender's domain is only six days old. Legacy security tools often rely on reputation-based systems, which may not have information on newly registered domains.
- Lack of Malicious Links or Attachments: The email does not contain malicious links or attachments, common triggers for legacy security tools.
How Did Abnormal Detect This Attack?
This attack was detected using AI and ML by analyzing various factors, including the following:
- Domain Age: Abnormal detects that the sender's domain is only six days old. This is a common characteristic of malicious domains, as attackers often register new domains for attacks.
- Email Spoofing: The email appears to be from "brian@saelsforrce[.]com", which is a slight misspelling of a legitimate domain, “salesforce[.]com.” Abnormal's advanced detection algorithms identify and flag such slight variations as suspicious.
- Social Engineering Detection: Abnormal's AI models detect social engineering techniques, such as urgency and authority, used in the email to persuade the recipient to take action.
By recognizing established normal behavior and detecting these abnormal indicators, a modern email security solution has the ability to prevent this attack from reaching inboxes.
Please note the exact detection mechanism from Abnormal Security's system might include proprietary techniques and methodologies not disclosed here.
