Bypassing SEGs Outside of Email: Real-World Examples

See how Abnormal protects your organization from advanced attacks occuring outside your email environment and bypassing your SEG.
March 1, 2023

Throughout this series, we’ve shared various attacks that bypass secure email gateways (SEGs). This week, we will explore a different type of threat in this same vein, but one that lacks any payload. No .exe files or Google Drive links to speak of, just convincing impersonation or social engineering tactics deployed beyond the inbox, targeting SMS, WhatsApp, and even direct phone calls. This increasingly common attack vector is typically a first step that leads to credential theft, account compromise, the installation of malware or integration of malicious applications, and even financial fraud through fraudulent invoices or payment requests—all initiated outside of email.

Let’s dive into a few real-world examples that illustrate how these attacks originate and some of the tactics threat actors employ to convince unsuspecting recipients to respond.

How Threats Initiated Outside of Email Bypass the SEG

The examples below use a mix–or in some cases all three–of the following tactics often seen in attacks that effectively bypass SEG filters: :

  • Abuse of legitimate email accounts (e.g. - Gmail)

  • Abuse of legitimate platforms (e.g. - PayPal)

  • Use of social engineering techniques to elicit user engagement

This first example is an updated version of a common tactic–renewal and service cancellation scams masquerading as legitimate messages from Norton, McAfee, or Geek Squad. In these messages, the recipient is prompted to call a number owned by the threat actor to cancel an automated contract renewal.

Where this differs from previous iterations of this attack strategy is that these messages are using the PayPal domain (or at least a facsimile that seems to be “close enough” to the real thing) to appear as ostensibly legitimate messages.

SEG Bypass1

The email bypasses traditional checks by the SEG because it is sent from PayPal servers and thus, passes SPF and DKIM for the sending domain.

SEG Bypass2

When the recipient calls the number provided to cancel this fraudulent McAfee renewal, they will speak with an attacker-controlled call center. During this conversation, the fraudulent call center agent will prompt the victim to establish a remote desktop session under the guise of assisting or showing the victim how to cancel this purchase from their endpoint. If successful, the attacker will install malware without the user ever clicking a malicious link or opening a malicious attachment within an email.

This next example is similarly seeking engagement outside of email through WhatsApp. Instead of prompting the victim to call a number, however, the threat actor is requesting engagement over the WhatsApp platform:

SEG Bypass3

These threat messages typically lead to financial fraud in the form of gift card purchases or fraudulent vendor payments. We have also seen a subset of these engagements leading to the disclosure of personal and corporate information.

How Abnormal Stops Attacks Initiated Outside of Email

Abnormal uses advanced behavioral AI to detect these email-adjacent attacks. With our API architecture, Abnormal is uniquely positioned to ingest tens of thousands of unique signals—establishing a known baseline from which to detect anomalies.

In the cases illustrated above, Abnormal identified a number of anomalies, including unusual sender domains that don’t match with link domains shared in the body of the email, suspicious email body HTML, email signatures associated with known threat actor communications, and content that is often correlated with financial fraud or schemes aimed at stealing personal data.

An overview of the red flags detected in these attacks can be seen in the images below and in the accompanying video.

PayPal Threat Red Flags:

SEG Bypass4

VIP Impersonation + WhatsApp Threat Red Flags:

SEG Bypass5

Overview of both attacks:

Looking Ahead

Join us for the next installation in our series focused on bypassing SEGs, where we will illustrate the steps taken in a real-world invoice fraud attack. We’ll showcase exactly how this type of attack bypassed traditional security defenses and how Abnormal stepped in to detect and remediate.

Interested in learning more about how Abnormal can supplement or replace your SEG to stop advanced threats?

Schedule a Demo
Bypassing SEGs Outside of Email: Real-World Examples

See Abnormal in Action

Schedule a Demo

Get the Latest Email Security Insights

Subscribe to our newsletter to receive updates on the latest attacks and new trends in the email threat landscape.


See the Abnormal Solution to the Email Security Problem

Protect your organization from the full spectrum of email attacks with Abnormal.

See a Demo
Integrates Insights Reporting 09 08 22

Related Posts

B 3 21 23 CFO
Bill Losch of Okta discusses the macroeconomic environment and how CISOs can prepare for budget discussions with their CFOs.
Read More
B Business Email Compromise Response
Knowing what to do after receiving a business email compromise attack is essential for preventing costly consequences. Learn how to respond to BEC attacks.
Read More
B 36 M
Vendor email compromise is expensive. See how Abnormal protected our customer from a $36 million invoice fraud attack.
Read More
B Keeping VIP Emails Safe
Learn why executives are popular targets for account takeovers, the consequences of a successful takeover, and how organizations can prevent these attacks.
Read More
B TAG Cyber Future of Cloud Email Security
In the final post of our series with Ed Amoroso, the TAG Cyber CEO discusses some of the defensive and offensive trends for cloud email.
Read More
B SVB Closure Cybersecurity Threats
The Silicon Valley Bank (SVB) closure has created opportunities for threat actors to launch more convincing email attacks. Here's how to lower your risk.
Read More