Beyond Traditional Defenses: Abnormal Security Detects Advanced Phishing Attack Missed by Proofpoint + DarkTrace

Threat actors become more sophisticated every day, sending phishing attacks that leverage legitimate services and bypass conventional defenses with alarming ease. This growing sophistication was recently highlighted by an attack that evaded both Proofpoint and DarkTrace, but was detected by Abnormal Security.

Here, we explore the details of that attack and showcase how Abnormal is equipped to protect organizations in the face of modern email threats that are outpacing traditional solutions.

The targeted organization was a long-time Proofpoint customer who is currently in the midst of transitioning to a more robust security framework that includes Microsoft and Abnormal Security. Abnormal's system—which was integrated in read-only mode during the POV process and sits downstream of Proofpoint in the mail flow—identified a sophisticated phishing email that had eluded the existing secure email gateway (SEG). Unlike a SEG, Abnormal harnesses the power of behavioral AI to detect advanced attacks.

In this attack, the phishing email was disguised as a legitimate Microsoft informational alert, informing the recipient that an email containing a malicious URL was removed. The sender details and email payload, however, revealed a more complex story.

The initial email was designed to look like a Microsoft informational alert, suggesting that a separate email with a malicious URL was removed post-delivery:

Sender Authentication: The email passed SPF, DKIM, and DMARC checks, suggesting it originated from a legitimate domain, but this domain was not Microsoft. The original sender of the email was a seemingly-compromised DarkTrace customer, evidenced by the use of DarkTrace URL rewriting as part of the initial phishing path (more on this later).

Email Payload: The email contained a DarkTrace-rewritten URL that eventually resolved to a legitimate-looking DocuSign page. The victim was then redirected to an OAuth app install page hidden behind a Cloudflare-protected CAPTCHA, aimed at installing an OAuth application to achieve persistence, rather than traditional credential theft.

OAuth abuse/consent phishing helps threat actors achieve persistence in an M365 account in a manner that persists beyond password resets, because the attacker has full OAuth access to the account.

Abnormal's advanced AI platform captures thousands of unique signals about employee behavior and vendor communication patterns that attackers cannot obtain from public information. By training AI models tailored to each organization, it effectively detects anomalous activities among internal users and external partners.

In this attack case, Abnormal’s human behavior AIkey anomalies include:

• The sender had no historical communication with the recipient.

• The sending domain did not match with the Microsoft branding used in the email.

• The payload URL and sending domain did not match Microsoft's domains.

• The email body contained invisible characters, atypical for such notifications.

Identifying these anomalies, along with others, against a backdrop of 40,000+ behavioral signals across multiple platforms, allowed Abnormal to detect this message. Due to our unique architecture, we only analyze messages that have been allowed by upstream email security providers.

Here you can see the Proofpoint and Microsoft detection headers:

x-proofpoint-spam-details:

Rule: inbound_notspam
Suspectscore: 0
Lowpriorittyscore: 0
Adultscore: 0
Bulkscore: 0
Phishscore: 0
Impostorscore: 0
Clxscore: 65
Spamscore: 0
Unknownsenderscore: 20

SCL: 1 (Skiplisting/Enhanced Filtering Enabled)
CAT: NONE
SFV:NSPM
PTR: ErrorRetry
BCL: 0

This attack is noteworthy because:

• DarkTrace's URL rewriting infrastructure was exploited to obscure the phishing payload.

• This technique is part of a broader trend where legitimate services are abused to facilitate phishing attacks.

• Similar abuses have been observed with URL rewriting services from Inky, VIPRE, and Hornet Security.

Like many other providers, Proofpoint has a post-remediation solution called TRAP, which is responsible for pulling messages that Proofpoint’s threat intelligence later finds to be malicious. The problem with this solution is that it still relies on threat intelligence updates which are inherently reactive and delayed. This attack was still in the end-user's inbox three hours after it was received, giving the end-user plenty of time to engage with the malicious message and malicious payload.

Traditional email security solutions, including SEGs like Proofpoint, fail to detect sophisticated attacks due to their reliance on known threat signatures and patterns. In fact, our recent data observed a 237% increase in advanced attacks bypassing SEGs in the last two years.

Unlike traditional solutions, the Abnormal platform through its unique API architecture has access to >10x more behavioral data signals across multiple platforms, applies autonomous AI models to understand the human behavior and stop the most advanced attacks, that other solutions cannot.

Interested in learning more about Abnormal’s Behavior AI solution? Schedule a demo today!