chat
expand_more

4 Examples of Advanced Email Threats Evading Detection in User Inboxes

Explore how advanced email threats can slip past common security measures and why a proactive, pre-delivery defense is essential in combating them.
September 24, 2024

When Abnormal detects advanced email threats, we frequently hear from prospective clients about the effectiveness of post-delivery controls like URL rewriting—a tool used to protect users from malicious links embedded in emails. Many organizations rely on these mechanisms, along with browser agents and web gateways, as compensating security measures. The belief is that even if a malicious email makes it to the inbox, these controls will minimize the risk.

However, the reality is more complex. Post-delivery controls can often be bypassed, particularly in the case of sophisticated threats that are designed to evade detection. URL rewrites, for example, are not always effective against threats that disguise themselves as legitimate or change dynamically after delivery.

Here, I’ll examine a few types of advanced email threats that persist in user inboxes despite these controls. We'll explore how these threats can slip past common security measures and why a proactive, pre-delivery defense is essential in combating them.

1. Multi-stage Phishing From a Compromised Account Abusing an ArcGIS Site

In this first example, the email message originates from a compromised external account and the threat actor is abusing ArcGIS to host a path to a credential phishing page.

Adv Attacks1

Looking at the component parts, we can see three URLs—the initial shortened URL, the URL expanded at the time of the click, and the actual payload URL that requires a click from the abused ArcGIS survey page.

Adv Attacks2

When I run the first URL in a publicly-available URL scanner, I get an error:

Adv Attacks3

When I try the second URL, I don’t get an error, but rather a benign verdict:

Adv Attacks4

As you can see, the ArcGIS URL is not currently condemned. If the victim clicks on “View PDF Online” or “Submit”, they will be sent to a credential phishing page.

What’s interesting here is that the significant majority of traditional URL rewriting services that come from SEGs will not make it past that first click and redirect. The original URL would have been rewritten, and at the time of click, that initial URL and its expanded counterpart from the redirect would have been assessed. The URL rewrite vendor is not going to perform that second click, meaning they will miss the eventual payload.

Fortunately, browser-based controls are less limited in terms of what can be analyzed—they aren’t beholden to a rewritten URL, long redirect chains, etc. Browser-based controls can inspect all web traffic for a given user, assuming the browser agent is installed. This is extremely helpful when combatting multi-stage payload delivery, as we see here.

With that said, let’s look at the third and final URL destination:

Adv Attacks5

In this case, if a victim user was leveraging this browser protection component, they would have been prevented from accessing the actual credential phishing page, even though the message was allowed to persist in the inbox.

2. DHL Impersonation Leading to QR Code Credential Phishing

Abnormal detected the following email attack in real time as an obvious DHL impersonation, but in this case, it’s sitting in the user's inbox more than a day later.

Adv Attacks6

Scanning the QR code will take the victim to: hxxps://restaurantesmiescondite[.]com/commad/popular[.]html?[redacted].

This is definitely not a DHL URL, nor did the message originate from DHL.

Adv Attacks7

Checking the extracted URL in the same URL scan tool results in a “benign” verdict, but a single vendor in VirusTotal (Fortinet) gives me a phishing verdict:

Adv Attacks8

I decided to send this extracted link to a SafeLinks-protected mailbox to see what Microsoft thought. I was surprised to discover that the link is being blocked at the time of click, even though the malicious URL was initially delivered:

Adv Attacks9

Even though the URL itself is condemned, the URL within the QR code will not be rewritten. This means that the block page I'm seeing from SafeLinks is irrelevant. The user would not be protected by this control, as the payload was delivered within a QR code.

3. Microsoft Billing Impersonation From Xero Abuse

In this next attack example, detected by Abnormal, the threat actor impersonates Microsoft and abuses Xero.

Adv Attacks10

If a user were to click on the link, they would see the following page, prompting them to call the same number from the initial threat message. There is not a payload in the traditional sense.

Adv Attacks11

For any who are unfamiliar with this particular threat technique, the threat actor’s goal is to get the end-user to call the phone number. Calling the number will result in interaction with a human, pretending to be tech support for the impersonated organization (Microsoft in this case). The fake agent on the other end of the phone will prompt the victim to initiate a remote desktop session, normally under the guise of “Show me your screen, and I will help you cancel this payment from your device.” This remote desktop session is normally facilitated via legitimate services such as AnyDesk.

If the user doesn’t go through with the remote desktop session but is still on the phone, the threat actor will typically pivot to personal information theft.

When I run this URL through the checker, I get a benign verdict:

Adv Attacks12

4. Dutch VIP Impersonation With End-User Engagement (No Payload)

In the last example attack, Abnormal detected an impersonation of a VIP during a client's POV. Since the POV is read-only, we can track user engagement with threats—opens, forwards, replies, etc.—a few of which are detailed in the following images.

Because this message does not carry a payload, post-delivery time-of-click controls don’t really exist or provide protection. Rather, the hope is that end-users can identify and report this message. Sadly, we often see that end-users fall victim to such messages, as is the case here.

This message is written in Dutch, and I will use a translation service (DeepL) to render it in English where necessary.

Original Message:

Adv Attacks13

English Translation:

“Hello [Victim Name] Do you have a moment? I need you for an assignment. Please reply with your mobile number so I can tell you how to proceed. Kind regards”

This same message was sent to three different recipients, one of whom began engaging with the threat actor just seven minutes post-delivery:

Adv Attacks14

The threat actor then replies:

Adv Attacks15

English Translation:

“Okay, I'm in a meeting session and I want us to work together on something important. I have selected a few employees who should receive a gift for their hard work and dedication to the growth of the company, especially at this stage, to motivate and encourage the team to be more proactive and enthusiastic in future projects. I need your help with this, but I'm not sure what the rest of my schedule looks like today. Please let me know if you can help me in a few minutes or in the next hour. I don't want you to ruin the surprise, so it's very important to me that you remain confidential.”

The victim continues engaging with the threat actor from there, eventually resulting in a request to get a number of gift cards, each pre-loaded with 100 euros.

Invest in AI-Powered Email Protection That Stops Threats Before User Interaction

As you can see, threat actors are constantly applying new attack techniques to exploit your users. Relying solely on security controls that act after an email reaches the inbox is no longer adequate to fully protect organizations from sophisticated attacks. Modern threats frequently use obfuscated payloads or hide behind legitimate services, and many contain no payloads at all—just text or phone numbers. This makes traditional security measures ineffective against risky user behavior.

Abnormal Security takes a different approach, offering advanced, AI-driven protection that detects and neutralizes these threats before users engage with them. By analyzing the nuances of each email and leveraging behavioral data from thousands of signals, Abnormal Security provides the comprehensive protection organizations need to defend against even the most advanced attacks.

Interested in learning more about how Abnormal protects your inbox? Schedule a demo today!

Schedule a Demo
4 Examples of Advanced Email Threats Evading Detection in User Inboxes

See Abnormal in Action

Get a Demo

Get the Latest Email Security Insights

Subscribe to our newsletter to receive updates on the latest attacks and new trends in the email threat landscape.

Get AI Protection for Your Human Interactions

Protect your organization from socially-engineered email attacks that target human behavior.
Request a Demo
Request a Demo

Related Posts

B E Rate
Discover how AI-powered email protection ensures a secure digital learning environment.
Read More
B Healthcare Industry Attack Trends Blog
Targeted attacks on the healthcare industry are on the rise. Explore the latest threat trends and learn how to protect your organization.
Read More
B URL
Explore how attackers exploit rewritten URLs to gain unauthorized access, highlighting traditional security vulnerabilities and the need for modern tools.
Read More
B SOC Experts
Explore insights from SOC leaders on the evolving landscape of social engineering threats, highlighting human vulnerabilities and strategies to enhance cybersecurity.
Read More
B Cybersecurity Awareness Month Engage Educate Empower
Happy Cybersecurity Awareness Month! Make sure your workforce is prepared to combat emerging threats with these 5 tips.
Read More
B Top Mortgage Lender Replaces Proofpoint with Abnormal
Discover how a leading mortgage lender saved money and stopped more attacks by replacing its Proofpoint SEG with Abnormal’s API-based behavioral AI solution.
Read More