chat
expand_more

Beyond Traditional Defenses: Abnormal Security Detects Advanced Phishing Attack Missed by Proofpoint + DarkTrace

Discover how Abnormal Security detected a sophisticated phishing attack that evaded both Proofpoint and DarkTrace, and learn how it outperforms traditional solutions in combating modern email threats.
July 26, 2024

Threat actors become more sophisticated every day, sending phishing attacks that leverage legitimate services and bypass conventional defenses with alarming ease. This growing sophistication was recently highlighted by an attack that evaded both Proofpoint and DarkTrace, but was detected by Abnormal Security.

Here, we explore the details of that attack and showcase how Abnormal is equipped to protect organizations in the face of modern email threats that are outpacing traditional solutions.

Background

The targeted organization was a long-time Proofpoint customer who is currently in the midst of transitioning to a more robust security framework that includes Microsoft and Abnormal Security. Abnormal's system—which was integrated in read-only mode during the POV process and sits downstream of Proofpoint in the mail flow—identified a sophisticated phishing email that had eluded the existing secure email gateway (SEG). Unlike a SEG, Abnormal harnesses the power of behavioral AI to detect advanced attacks.

PFPT Blog5

In this attack, the phishing email was disguised as a legitimate Microsoft informational alert, informing the recipient that an email containing a malicious URL was removed. The sender details and email payload, however, revealed a more complex story.

Analyzing the Attack

The initial email was designed to look like a Microsoft informational alert, suggesting that a separate email with a malicious URL was removed post-delivery:

PFPT Blog3

Sender Authentication: The email passed SPF, DKIM, and DMARC checks, suggesting it originated from a legitimate domain, but this domain was not Microsoft. The original sender of the email was a seemingly-compromised DarkTrace customer, evidenced by the use of DarkTrace URL rewriting as part of the initial phishing path (more on this later).

PFPT Blog2

Email Payload: The email contained a DarkTrace-rewritten URL that eventually resolved to a legitimate-looking DocuSign page. The victim was then redirected to an OAuth app install page hidden behind a Cloudflare-protected CAPTCHA, aimed at installing an OAuth application to achieve persistence, rather than traditional credential theft.

PFPT Blog1
PFPT Blog4

OAuth abuse/consent phishing helps threat actors achieve persistence in an M365 account in a manner that persists beyond password resets, because the attacker has full OAuth access to the account.

How Abnormal Detected the Attack

Abnormal's advanced AI platform captures thousands of unique signals about employee behavior and vendor communication patterns that attackers cannot obtain from public information. By training AI models tailored to each organization, it effectively detects anomalous activities among internal users and external partners.

In this attack case, Abnormal’s human behavior AIkey anomalies include:

  • The sender had no historical communication with the recipient.

  • The sending domain did not match with the Microsoft branding used in the email.

  • The payload URL and sending domain did not match Microsoft's domains.

  • The email body contained invisible characters, atypical for such notifications.

Identifying these anomalies, along with others, against a backdrop of 40,000+ behavioral signals across multiple platforms, allowed Abnormal to detect this message. Due to our unique architecture, we only analyze messages that have been allowed by upstream email security providers.

Here you can see the Proofpoint and Microsoft detection headers:

x-proofpoint-spam-details:

Rule: inbound_notspam
Suspectscore: 0
Lowpriorittyscore: 0
Adultscore: 0
Bulkscore: 0
Phishscore: 0
Impostorscore: 0
Clxscore: 65
Spamscore: 0
Unknownsenderscore: 20

SCL: 1 (Skiplisting/Enhanced Filtering Enabled)
CAT: NONE
SFV:NSPM
PTR: ErrorRetry
BCL: 0

Broader Implications

This attack is noteworthy because:

  • DarkTrace's URL rewriting infrastructure was exploited to obscure the phishing payload.

  • This technique is part of a broader trend where legitimate services are abused to facilitate phishing attacks.

  • Similar abuses have been observed with URL rewriting services from Inky, VIPRE, and Hornet Security.

Like many other providers, Proofpoint has a post-remediation solution called TRAP, which is responsible for pulling messages that Proofpoint’s threat intelligence later finds to be malicious. The problem with this solution is that it still relies on threat intelligence updates which are inherently reactive and delayed. This attack was still in the end-user's inbox three hours after it was received, giving the end-user plenty of time to engage with the malicious message and malicious payload.

The Importance of Human Behavior AI Detection

Traditional email security solutions, including SEGs like Proofpoint, fail to detect sophisticated attacks due to their reliance on known threat signatures and patterns. In fact, our recent data observed a 237% increase in advanced attacks bypassing SEGs in the last two years.

Unlike traditional solutions, the Abnormal platform through its unique API architecture has access to >10x more behavioral data signals across multiple platforms, applies autonomous AI models to understand the human behavior and stop the most advanced attacks, that other solutions cannot.

Interested in learning more about Abnormal’s Behavior AI solution? Schedule a demo today!

Schedule a Demo
Beyond Traditional Defenses: Abnormal Security Detects Advanced Phishing Attack Missed by Proofpoint + DarkTrace

See Abnormal in Action

Get a Demo

Get the Latest Email Security Insights

Subscribe to our newsletter to receive updates on the latest attacks and new trends in the email threat landscape.

Get AI Protection for Your Human Interactions

Protect your organization from socially-engineered email attacks that target human behavior.
Request a Demo
Request a Demo

Related Posts

B Proofpoint Customer Story Blog 8
A Fortune 500 transportation and logistics leader blocked more than 6,700 attacks missed by Proofpoint and reclaimed 350 SOC hours per month by adding Abnormal to its security stack.
Read More
B Gartner MQ 2024 Announcement Blog
Abnormal Security was named a Leader in the 2024 Gartner Magic Quadrant for Email Security Platforms and positioned furthest for Completeness of Vision.
Read More
B Gift Card Scams Tricker to Spot Blog
Learn why gift card scams are becoming more difficult to identify, how cybercriminals evolve their tactics, and strategies to protect your organization.
Read More
B Offensive AI 12 16 24
Learn how AI is used in cybersecurity, what defensive AI vs. offensive AI means, and how to use defensive AI to combat offensive AI.
Read More
B Proofpoint Customer Story Blog 7
See how Abnormal's AI helped a Fortune 500 insurance provider detect 27,847 threats missed by Proofpoint and save 6,600+ hours in employee productivity.
Read More
B Cyberattack Forecast Emerging Threats Blog
Uncover the latest email threats and strategies to strengthen your cybersecurity and prepare for 2025.
Read More