Bypassing SEGs Outside of Email: Real-World Examples

See how Abnormal protects your organization from advanced attacks occuring outside your email environment and bypassing your SEG.
March 1, 2023

Throughout this series, we’ve shared various attacks that bypass secure email gateways (SEGs). This week, we will explore a different type of threat in this same vein, but one that lacks any payload. No .exe files or Google Drive links to speak of, just convincing impersonation or social engineering tactics deployed beyond the inbox, targeting SMS, WhatsApp, and even direct phone calls. This increasingly common attack vector is typically a first step that leads to credential theft, account compromise, the installation of malware or integration of malicious applications, and even financial fraud through fraudulent invoices or payment requests—all initiated outside of email.

Let’s dive into a few real-world examples that illustrate how these attacks originate and some of the tactics threat actors employ to convince unsuspecting recipients to respond.

How Threats Initiated Outside of Email Bypass the SEG

The examples below use a mix–or in some cases all three–of the following tactics often seen in attacks that effectively bypass SEG filters: :

  • Abuse of legitimate email accounts (e.g. - Gmail)

  • Abuse of legitimate platforms (e.g. - PayPal)

  • Use of social engineering techniques to elicit user engagement

This first example is an updated version of a common tactic–renewal and service cancellation scams masquerading as legitimate messages from Norton, McAfee, or Geek Squad. In these messages, the recipient is prompted to call a number owned by the threat actor to cancel an automated contract renewal.

Where this differs from previous iterations of this attack strategy is that these messages are using the PayPal domain (or at least a facsimile that seems to be “close enough” to the real thing) to appear as ostensibly legitimate messages.

SEG Bypass1

The email bypasses traditional checks by the SEG because it is sent from PayPal servers and thus, passes SPF and DKIM for the sending domain.

SEG Bypass2

When the recipient calls the number provided to cancel this fraudulent McAfee renewal, they will speak with an attacker-controlled call center. During this conversation, the fraudulent call center agent will prompt the victim to establish a remote desktop session under the guise of assisting or showing the victim how to cancel this purchase from their endpoint. If successful, the attacker will install malware without the user ever clicking a malicious link or opening a malicious attachment within an email.

This next example is similarly seeking engagement outside of email through WhatsApp. Instead of prompting the victim to call a number, however, the threat actor is requesting engagement over the WhatsApp platform:

SEG Bypass3

These threat messages typically lead to financial fraud in the form of gift card purchases or fraudulent vendor payments. We have also seen a subset of these engagements leading to the disclosure of personal and corporate information.

How Abnormal Stops Attacks Initiated Outside of Email

Abnormal uses advanced behavioral AI to detect these email-adjacent attacks. With our API architecture, Abnormal is uniquely positioned to ingest tens of thousands of unique signals—establishing a known baseline from which to detect anomalies.

In the cases illustrated above, Abnormal identified a number of anomalies, including unusual sender domains that don’t match with link domains shared in the body of the email, suspicious email body HTML, email signatures associated with known threat actor communications, and content that is often correlated with financial fraud or schemes aimed at stealing personal data.

An overview of the red flags detected in these attacks can be seen in the images below and in the accompanying video.

PayPal Threat Red Flags:

SEG Bypass4

VIP Impersonation + WhatsApp Threat Red Flags:

SEG Bypass5

Overview of both attacks:

Looking Ahead

Join us for the next installation in our series focused on bypassing SEGs, where we will illustrate the steps taken in a real-world invoice fraud attack. We’ll showcase exactly how this type of attack bypassed traditional security defenses and how Abnormal stepped in to detect and remediate.

Interested in learning more about how Abnormal can supplement or replace your SEG to stop advanced threats?

Schedule a Demo
Bypassing SEGs Outside of Email: Real-World Examples

See Abnormal in Action

Schedule a Demo

Get the Latest Email Security Insights

Subscribe to our newsletter to receive updates on the latest attacks and new trends in the email threat landscape.


See the Abnormal Solution to the Email Security Problem

Protect your organization from the full spectrum of email attacks with Abnormal.

See a Demo
Integrates Insights Reporting 09 08 22

Related Posts

B Health Care
Email attacks like BEC against the healthcare industry are on the rise in 2023. Protect yourself with sophisticated cloud-native email security.
Read More
B AI Series
Discover how Abnormal's advanced AI models are used to detect abnormalities in email behavior and protect organizations from the most sophisticated email attacks.
Read More
B Insights from Clemson University CISO
John Hoyt, CISO at Clemson University, shares his take on the unique cybersecurity challenges of higher education and how Abnormal Security can help.
Read More
B Nigerian Prince
Scams about the Nigerian Prince that promise millions have been around for decades. But they are transitioning, now using ChatGPT and similar tools to seem more convincing.
Read More
B 9 12 23 ATO
Learn why account takeovers are successful, how to detect and remediate them, and how to better protect yourself from cybercriminals in the future.
Read More
B 9 8 23 Incident Response
An effective incident response plan is crucial to minimizing the effects of an email attack and preventing future breaches.
Read More