chat
expand_more

Bypassing SEGs Outside of Email: Real-World Examples

See how Abnormal protects your organization from advanced attacks occuring outside your email environment and bypassing your SEG.
March 1, 2023

Throughout this series, we’ve shared various attacks that bypass secure email gateways (SEGs). This week, we will explore a different type of threat in this same vein, but one that lacks any payload. No .exe files or Google Drive links to speak of, just convincing impersonation or social engineering tactics deployed beyond the inbox, targeting SMS, WhatsApp, and even direct phone calls. This increasingly common attack vector is typically a first step that leads to credential theft, account compromise, the installation of malware or integration of malicious applications, and even financial fraud through fraudulent invoices or payment requests—all initiated outside of email.

Let’s dive into a few real-world examples that illustrate how these attacks originate and some of the tactics threat actors employ to convince unsuspecting recipients to respond.

How Threats Initiated Outside of Email Bypass the SEG

The examples below use a mix–or in some cases all three–of the following tactics often seen in attacks that effectively bypass SEG filters: :

  • Abuse of legitimate email accounts (e.g. - Gmail)

  • Abuse of legitimate platforms (e.g. - PayPal)

  • Use of social engineering techniques to elicit user engagement

This first example is an updated version of a common tactic–renewal and service cancellation scams masquerading as legitimate messages from Norton, McAfee, or Geek Squad. In these messages, the recipient is prompted to call a number owned by the threat actor to cancel an automated contract renewal.

Where this differs from previous iterations of this attack strategy is that these messages are using the PayPal domain (or at least a facsimile that seems to be “close enough” to the real thing) to appear as ostensibly legitimate messages.

SEG Bypass1

The email bypasses traditional checks by the SEG because it is sent from PayPal servers and thus, passes SPF and DKIM for the sending domain.

SEG Bypass2

When the recipient calls the number provided to cancel this fraudulent McAfee renewal, they will speak with an attacker-controlled call center. During this conversation, the fraudulent call center agent will prompt the victim to establish a remote desktop session under the guise of assisting or showing the victim how to cancel this purchase from their endpoint. If successful, the attacker will install malware without the user ever clicking a malicious link or opening a malicious attachment within an email.

This next example is similarly seeking engagement outside of email through WhatsApp. Instead of prompting the victim to call a number, however, the threat actor is requesting engagement over the WhatsApp platform:

SEG Bypass3

These threat messages typically lead to financial fraud in the form of gift card purchases or fraudulent vendor payments. We have also seen a subset of these engagements leading to the disclosure of personal and corporate information.

How Abnormal Stops Attacks Initiated Outside of Email

Abnormal uses advanced behavioral AI to detect these email-adjacent attacks. With our API architecture, Abnormal is uniquely positioned to ingest tens of thousands of unique signals—establishing a known baseline from which to detect anomalies indicative of zero-day threats.

In the cases illustrated above, Abnormal identified a number of anomalies, including unusual sender domains that don’t match with link domains shared in the body of the email, suspicious email body HTML, email signatures associated with known threat actor communications, and content that is often correlated with financial fraud or schemes aimed at stealing personal data.

An overview of the red flags detected in these attacks can be seen in the images below and in the accompanying video.

PayPal Threat Red Flags:

SEG Bypass4

VIP Impersonation + WhatsApp Threat Red Flags:

SEG Bypass5

Overview of both attacks:

Looking Ahead

Join us for the next installation in our series focused on bypassing SEGs, where we will illustrate the steps taken in a real-world invoice fraud attack. We’ll showcase exactly how this type of attack bypassed traditional security defenses and how Abnormal stepped in to detect and remediate.

Interested in learning more about how Abnormal can supplement or replace your SEG to stop advanced threats?

Schedule a Demo
Bypassing SEGs Outside of Email: Real-World Examples

See Abnormal in Action

Get a Demo

Get the Latest Email Security Insights

Subscribe to our newsletter to receive updates on the latest attacks and new trends in the email threat landscape.

Get AI Protection for Your Human Interactions

Protect your organization from socially-engineered email attacks that target human behavior.
Request a Demo
Request a Demo

Related Posts

B F500 Packaging Solutions Provider Proofpoint Replacement Blog
A Fortune 500 packaging leader boosted threat detection 20x and saved 6,500+ hours annually by replacing its Proofpoint SEG with Abnormal’s AI-powered solution.
Read More
B E Rate
Discover how AI-powered email protection ensures a secure digital learning environment.
Read More
B Healthcare Industry Attack Trends Blog
Targeted attacks on the healthcare industry are on the rise. Explore the latest threat trends and learn how to protect your organization.
Read More
B URL
Explore how attackers exploit rewritten URLs to gain unauthorized access, highlighting traditional security vulnerabilities and the need for modern tools.
Read More
B SOC Experts
Explore insights from SOC leaders on the evolving landscape of social engineering threats, highlighting human vulnerabilities and strategies to enhance cybersecurity.
Read More
B Cybersecurity Awareness Month Engage Educate Empower
Happy Cybersecurity Awareness Month! Make sure your workforce is prepared to combat emerging threats with these 5 tips.
Read More