Bypassing SEGs Outside of Email: Real-World Examples

Throughout this series, we’ve shared various attacks that bypass secure email gateways (SEGs). This week, we will explore a different type of threat in this same vein, but one that lacks any payload. No .exe files or Google Drive links to speak of, just convincing impersonation or social engineering tactics deployed beyond the inbox, targeting SMS, WhatsApp, and even direct phone calls. This increasingly common attack vector is typically a first step that leads to credential theft, account compromise, the installation of malware or integration of malicious applications, and even financial fraud through fraudulent invoices or payment requests—all initiated outside of email.

Let’s dive into a few real-world examples that illustrate how these attacks originate and some of the tactics threat actors employ to convince unsuspecting recipients to respond.

The examples below use a mix–or in some cases all three–of the following tactics often seen in attacks that effectively bypass SEG filters: :

• Abuse of legitimate email accounts (e.g. - Gmail)

• Abuse of legitimate platforms (e.g. - PayPal)

• Use of social engineering techniques to elicit user engagement

This first example is an updated version of a common tactic–renewal and service cancellation scams masquerading as legitimate messages from Norton, McAfee, or Geek Squad. In these messages, the recipient is prompted to call a number owned by the threat actor to cancel an automated contract renewal.

Where this differs from previous iterations of this attack strategy is that these messages are using the PayPal domain (or at least a facsimile that seems to be “close enough” to the real thing) to appear as ostensibly legitimate messages.

The email bypasses traditional checks by the SEG because it is sent from PayPal servers and thus, passes SPF and DKIM for the sending domain.

When the recipient calls the number provided to cancel this fraudulent McAfee renewal, they will speak with an attacker-controlled call center. During this conversation, the fraudulent call center agent will prompt the victim to establish a remote desktop session under the guise of assisting or showing the victim how to cancel this purchase from their endpoint. If successful, the attacker will install malware without the user ever clicking a malicious link or opening a malicious attachment within an email.

This next example is similarly seeking engagement outside of email through WhatsApp. Instead of prompting the victim to call a number, however, the threat actor is requesting engagement over the WhatsApp platform:

These threat messages typically lead to financial fraud in the form of gift card purchases or fraudulent vendor payments. We have also seen a subset of these engagements leading to the disclosure of personal and corporate information.

Abnormal uses advanced behavioral AI to detect these email-adjacent attacks. With our API architecture, Abnormal is uniquely positioned to ingest tens of thousands of unique signals—establishing a known baseline from which to detect anomalies indicative of zero-day threats.

In the cases illustrated above, Abnormal identified a number of anomalies, including unusual sender domains that don’t match with link domains shared in the body of the email, suspicious email body HTML, email signatures associated with known threat actor communications, and content that is often correlated with financial fraud or schemes aimed at stealing personal data.

An overview of the red flags detected in these attacks can be seen in the images below and in the accompanying video.

PayPal Threat Red Flags:

VIP Impersonation + WhatsApp Threat Red Flags:

Overview of both attacks:

Join us for the next installation in our series focused on bypassing SEGs, where we will illustrate the steps taken in a real-world invoice fraud attack. We’ll showcase exactly how this type of attack bypassed traditional security defenses and how Abnormal stepped in to detect and remediate.

Interested in learning more about how Abnormal can supplement or replace your SEG to stop advanced threats?