chat
expand_more

Beyond Traditional Defenses: Abnormal Security Detects Advanced Phishing Attack Missed by Proofpoint + DarkTrace

Discover how Abnormal Security detected a sophisticated phishing attack that evaded both Proofpoint and DarkTrace, and learn how it outperforms traditional solutions in combating modern email threats.
July 26, 2024

Threat actors become more sophisticated every day, sending phishing attacks that leverage legitimate services and bypass conventional defenses with alarming ease. This growing sophistication was recently highlighted by an attack that evaded both Proofpoint and DarkTrace, but was detected by Abnormal Security.

Here, we explore the details of that attack and showcase how Abnormal is equipped to protect organizations in the face of modern email threats that are outpacing traditional solutions.

Background

The targeted organization was a long-time Proofpoint customer who is currently in the midst of transitioning to a more robust security framework that includes Microsoft and Abnormal Security. Abnormal's system—which was integrated in read-only mode during the POV process and sits downstream of Proofpoint in the mail flow—identified a sophisticated phishing email that had eluded the existing secure email gateway (SEG). Unlike a SEG, Abnormal harnesses the power of behavioral AI to detect advanced attacks.

PFPT Blog5

In this attack, the phishing email was disguised as a legitimate Microsoft informational alert, informing the recipient that an email containing a malicious URL was removed. The sender details and email payload, however, revealed a more complex story.

Analyzing the Attack

The initial email was designed to look like a Microsoft informational alert, suggesting that a separate email with a malicious URL was removed post-delivery:

PFPT Blog3

Sender Authentication: The email passed SPF, DKIM, and DMARC checks, suggesting it originated from a legitimate domain, but this domain was not Microsoft. The original sender of the email was a seemingly-compromised DarkTrace customer, evidenced by the use of DarkTrace URL rewriting as part of the initial phishing path (more on this later).

PFPT Blog2

Email Payload: The email contained a DarkTrace-rewritten URL that eventually resolved to a legitimate-looking DocuSign page. The victim was then redirected to an OAuth app install page hidden behind a Cloudflare-protected CAPTCHA, aimed at installing an OAuth application to achieve persistence, rather than traditional credential theft.

PFPT Blog1
PFPT Blog4

OAuth abuse/consent phishing helps threat actors achieve persistence in an M365 account in a manner that persists beyond password resets, because the attacker has full OAuth access to the account.

How Abnormal Detected the Attack

Abnormal's advanced AI platform captures thousands of unique signals about employee behavior and vendor communication patterns that attackers cannot obtain from public information. By training AI models tailored to each organization, it effectively detects anomalous activities among internal users and external partners.

In this attack case, Abnormal’s human behavior AIkey anomalies include:

  • The sender had no historical communication with the recipient.

  • The sending domain did not match with the Microsoft branding used in the email.

  • The payload URL and sending domain did not match Microsoft's domains.

  • The email body contained invisible characters, atypical for such notifications.

Identifying these anomalies, along with others, against a backdrop of 40,000+ behavioral signals across multiple platforms, allowed Abnormal to detect this message. Due to our unique architecture, we only analyze messages that have been allowed by upstream email security providers.

Here you can see the Proofpoint and Microsoft detection headers:

x-proofpoint-spam-details:

Rule: inbound_notspam
Suspectscore: 0
Lowpriorittyscore: 0
Adultscore: 0
Bulkscore: 0
Phishscore: 0
Impostorscore: 0
Clxscore: 65
Spamscore: 0
Unknownsenderscore: 20

SCL: 1 (Skiplisting/Enhanced Filtering Enabled)
CAT: NONE
SFV:NSPM
PTR: ErrorRetry
BCL: 0

Broader Implications

This attack is noteworthy because:

  • DarkTrace's URL rewriting infrastructure was exploited to obscure the phishing payload.

  • This technique is part of a broader trend where legitimate services are abused to facilitate phishing attacks.

  • Similar abuses have been observed with URL rewriting services from Inky, VIPRE, and Hornet Security.

Like many other providers, Proofpoint has a post-remediation solution called TRAP, which is responsible for pulling messages that Proofpoint’s threat intelligence later finds to be malicious. The problem with this solution is that it still relies on threat intelligence updates which are inherently reactive and delayed. This attack was still in the end-user's inbox three hours after it was received, giving the end-user plenty of time to engage with the malicious message and malicious payload.

The Importance of Human Behavior AI Detection

Traditional email security solutions, including SEGs like Proofpoint, fail to detect sophisticated attacks due to their reliance on known threat signatures and patterns. In fact, our recent data observed a 237% increase in advanced attacks bypassing SEGs in the last two years.

Unlike traditional solutions, the Abnormal platform through its unique API architecture has access to >10x more behavioral data signals across multiple platforms, applies autonomous AI models to understand the human behavior and stop the most advanced attacks, that other solutions cannot.

Interested in learning more about Abnormal’s Behavior AI solution? Schedule a demo today!

Schedule a Demo
Beyond Traditional Defenses: Abnormal Security Detects Advanced Phishing Attack Missed by Proofpoint + DarkTrace

See Abnormal in Action

Get a Demo

Get the Latest Email Security Insights

Subscribe to our newsletter to receive updates on the latest attacks and new trends in the email threat landscape.

Get AI Protection for Your Human Interactions

Protect your organization from socially-engineered email attacks that target human behavior.
Request a Demo
Request a Demo

Related Posts

B Proofpoint Customer Story F500 Insurance Provider
A Fortune 500 insurance provider blocked 6,454 missed attacks and saved 341 SOC hours per month by adding Abnormal to address gaps left by Proofpoint.
Read More
B Malicious AI Platforms Blog
What happened to WormGPT? Discover how AI tools like WormGPT changed cybercrime, why they vanished, and what cybercriminals are using now.
Read More
B MKT748 Open Graph Images for Cyber Savvy 7
Explore insights from Brian Markham, CISO at EAB, as he discusses cybersecurity challenges, building trust in education, adapting to AI threats, and his goals for the future. Learn how he and his team are working to make education smarter while prioritizing data security.
Read More
B Manufacturing Industry Attack Trends Blog
New data shows a surge in advanced email attacks on manufacturing organizations. Explore our research on this alarming trend.
Read More
B Dropbox Open Enrollment Attack Blog
Discover how Dropbox was exploited in a sophisticated phishing attack that leveraged AiTM tactics to steal credentials during the open enrollment period.
Read More
B AISOC
Discover how AI is transforming security operation centers by reducing noise, enhancing clarity, and empowering analysts with enriched data for faster threat detection and response.
Read More