Bypassing SEGs Outside of Email: Real-World Examples

See how Abnormal protects your organization from advanced attacks occuring outside your email environment and bypassing your SEG.
March 1, 2023

Throughout this series, we’ve shared various attacks that bypass secure email gateways (SEGs). This week, we will explore a different type of threat in this same vein, but one that lacks any payload. No .exe files or Google Drive links to speak of, just convincing impersonation or social engineering tactics deployed beyond the inbox, targeting SMS, WhatsApp, and even direct phone calls. This increasingly common attack vector is typically a first step that leads to credential theft, account compromise, the installation of malware or integration of malicious applications, and even financial fraud through fraudulent invoices or payment requests—all initiated outside of email.

Let’s dive into a few real-world examples that illustrate how these attacks originate and some of the tactics threat actors employ to convince unsuspecting recipients to respond.

How Threats Initiated Outside of Email Bypass the SEG

The examples below use a mix–or in some cases all three–of the following tactics often seen in attacks that effectively bypass SEG filters: :

  • Abuse of legitimate email accounts (e.g. - Gmail)

  • Abuse of legitimate platforms (e.g. - PayPal)

  • Use of social engineering techniques to elicit user engagement

This first example is an updated version of a common tactic–renewal and service cancellation scams masquerading as legitimate messages from Norton, McAfee, or Geek Squad. In these messages, the recipient is prompted to call a number owned by the threat actor to cancel an automated contract renewal.

Where this differs from previous iterations of this attack strategy is that these messages are using the PayPal domain (or at least a facsimile that seems to be “close enough” to the real thing) to appear as ostensibly legitimate messages.

SEG Bypass1

The email bypasses traditional checks by the SEG because it is sent from PayPal servers and thus, passes SPF and DKIM for the sending domain.

SEG Bypass2

When the recipient calls the number provided to cancel this fraudulent McAfee renewal, they will speak with an attacker-controlled call center. During this conversation, the fraudulent call center agent will prompt the victim to establish a remote desktop session under the guise of assisting or showing the victim how to cancel this purchase from their endpoint. If successful, the attacker will install malware without the user ever clicking a malicious link or opening a malicious attachment within an email.

This next example is similarly seeking engagement outside of email through WhatsApp. Instead of prompting the victim to call a number, however, the threat actor is requesting engagement over the WhatsApp platform:

SEG Bypass3

These threat messages typically lead to financial fraud in the form of gift card purchases or fraudulent vendor payments. We have also seen a subset of these engagements leading to the disclosure of personal and corporate information.

How Abnormal Stops Attacks Initiated Outside of Email

Abnormal uses advanced behavioral AI to detect these email-adjacent attacks. With our API architecture, Abnormal is uniquely positioned to ingest tens of thousands of unique signals—establishing a known baseline from which to detect anomalies indicative of zero-day threats.

In the cases illustrated above, Abnormal identified a number of anomalies, including unusual sender domains that don’t match with link domains shared in the body of the email, suspicious email body HTML, email signatures associated with known threat actor communications, and content that is often correlated with financial fraud or schemes aimed at stealing personal data.

An overview of the red flags detected in these attacks can be seen in the images below and in the accompanying video.

PayPal Threat Red Flags:

SEG Bypass4

VIP Impersonation + WhatsApp Threat Red Flags:

SEG Bypass5

Overview of both attacks:

Looking Ahead

Join us for the next installation in our series focused on bypassing SEGs, where we will illustrate the steps taken in a real-world invoice fraud attack. We’ll showcase exactly how this type of attack bypassed traditional security defenses and how Abnormal stepped in to detect and remediate.

Interested in learning more about how Abnormal can supplement or replace your SEG to stop advanced threats?

Schedule a Demo
Bypassing SEGs Outside of Email: Real-World Examples

See Abnormal in Action

Get a Demo

Get the Latest Email Security Insights

Subscribe to our newsletter to receive updates on the latest attacks and new trends in the email threat landscape.


See the Abnormal Solution to the Email Security Problem

Protect your organization from the full spectrum of email attacks with Abnormal.

Integrates Insights Reporting 09 08 22

Related Posts

B Complex Case of Account Compromise Blog
Discover how Abnormal helped one organization detect the sophisticated tactics an attacker used to compromise an employee's email account.
Read More
B Cross Platform Account Takeover
Discover the dangers of cross-platform account takeover, the challenges of detecting this attack, and how to implement proactive protection against ATO.
Read More
B 5 17 24 Legal
Learn how cybercriminals use superficial disclaimers to deceive others while facilitating illegal activity on cybercrime forums.
Read More
B Cybersecurity Influencers Blog 2024
Stay up to date on the latest cybersecurity trends, industry news, and best practices by following these 15 innovative and influential thought leaders on social media.
Read More
B 5 13 24 Docusign
Cybercriminals are abusing Docusign by selling customizable phishing templates on cybercrime forums, allowing attackers to steal credentials for phishing and business email compromise (BEC) scams.
Read More
Abnormal employees honored as CRN 2024 Women of the Channel for their influential leadership in the tech industry.
Read More