Email Threat Roundup: 5 Sophisticated Attacks Recently Stopped by Abnormal

As a security solutions provider at the forefront of the attack landscape, Abnormal has the rare opportunity to see firsthand the seemingly infinite ways that email threats are evolving. It seems as if new strategies spring up almost daily—making it increasingly difficult for security leaders to know what to tell their employees to look out for.

To help provide insight into the latest malicious tactics, we’ve begun posting quarterly roundups of some of the most unique and sophisticated email attacks recently detected and stopped by Abnormal. (You can read the first installment here.)

In this second post, we’re examining five more attacks that feature likely AI-generated content, convincing impersonations of some of the biggest global brands, and more.

Attack Summary

The perpetrator of this malware attack impersonates American Express and emails the target a notification that their password has been changed. The message informs the recipient that if they did not initiate this reset, they should immediately download the attached “encrypted secure document” titled "AmericanExpress_SecureFile[.]html" to restore their account access.

However, this HTML attachment likely contains malware designed to install malicious software, which the attacker can then utilize to compromise the target’s device and/or steal personal information.

Attack Analysis

What makes this malware attack effective is the manufactured sense of urgency and the exploitation of trust in a known brand.

The attacker incorporated multiple elements of American Express’ official branding and set the sender display name to “American Express.” They also used the email address “americanexpresssecure@send[.]com,” which, at first glance, appears genuine. The perpetrator even included American Express’ boilerplate disclaimer that warns recipients about sending private information via digital channels.

Attack Summary

In this likely AI-generated phishing attack, the threat actor pretends to be the Australia and New Zealand Banking Group (ANZ) and attempts to deceive targets with a fraudulent security notice. Claiming that new security measures have been introduced to better protect the account holder's financial information, it directs the recipient to click on a button labeled "Secure Your Account", purportedly to apply these updates.

While the link is hosted on a seemingly innocuous domain, "https://fressveggies[.]com," it is, in fact, a phishing site designed to trick the target into providing sensitive data.

Attack Analysis

Unlike the American Express impersonation attack which seeks to manipulate targets by claiming their account is actively at risk of unauthorized access, this malicious email takes a less urgent approach. The benefit of this strategy is that it may arouse less suspicion in targets, while still compelling them to act relatively quickly since the matter is related to their bank account.

From a technical standpoint, the attacker uses a real, compromised email address belonging to an employee at an unrelated third party to increase the likelihood of the email being successfully delivered.

Attack Summary

The threat actor in this phishing attack poses as Amazon Web Services (AWS) and emails the target regarding a possible credit for their AWS account. The message claims that the recipient may be eligible for a $300 AWS credit and invites them to apply using the embedded link.

However, if the target clicks the "Apply for $300 AWS Credit" button, they will be redirected to a page designed to steal sensitive information, such as login credentials or payment details.

Attack Analysis

To increase the appearance of legitimacy, the perpetrator of this attack sets the sender display name as "Amazon Services" and convincingly incorporates AWS branding into the email content. Additionally, they include real links to Amazon pages, which allows the email to bypass simple link verification checks utilized by traditional security tools.

Similar to the American Express impersonation attack, the threat actor also opts to include AWS' boilerplate disclaimer that warns recipients against clicking links in suspicious emails, further enhancing the semblance of authenticity.

Attack Summary

This multi-step, likely AI-generated phishing attack features an impersonation of Coinbase, one of the largest cryptocurrency exchanges in the world. The email explains that, due to suspicious activity, Coinbase is temporarily blocking access to the target's account. To avoid forfeiture of their funds, the recipient is invited to withdraw their tokens using the provided links.

If the target clicks either button labeled “Withdraw All Tokens Now”, they're taken to a landing page resembling Coinbase's wallet dashboard.

In reality, the "dashboard" is a cleverly designed phishing page, crafted to trick the target into entering their cryptocurrency wallet address or Coinbase login credentials. With this information, the attacker can access their real Coinbase account or crypto wallets and fraudulently transfer funds.

Attack Analysis

The malicious email used in this attack is certainly noteworthy, as it believably imitates Coinbase’s official branding, is sent from an address that includes “coinbase-withdrawals”, and also lacks the telltale signs of a phishing email—e.g., misspellings, grammatical errors, and issues with syntax. Additionally, the use of an email address hosted on a well-established domain from a reputable company enables it to pass several simple security checks, such as those utilized by legacy solutions.

But what makes this attack stand out is the impressively designed phishing page that closely resembles Coinbase’s actual website. The level of detail the perpetrators achieved would make it particularly difficult for the average individual to recognize that the page is a counterfeit.

Attack Summary

In this multi-stage vishing attack, the threat actor impersonates the streaming service Peacock and uses likely AI-generated content to send the target a notification that their new monthly subscription will be activated within 24 hours. The message details the automatic renewal of the subscription and prompts the recipient to check an attached invoice for further information.

The goal of the attack is to deceive the target into believing they have an unauthorized pending charge and compel them to call the "customer support service" number on the invoice to cancel the subscription. Should they call, the threat actor will initiate the second stage of the attack, in which the perpetrator will attempt to convince the target to reveal sensitive information or unknowingly download malware.

Attack Analysis

What sets this attack apart is the level of personalization employed by the perpetrator, making it difficult for traditional security solutions and even vigilant individuals to identify it as malicious.

The threat actor incorporated Peacock’s branding into the email and invoice, while also personalizing the subject line and greeting of each email to the individual recipient. They even used the target’s name in the PDF filename and within the content of the bogus invoice, which is an unusual tactic due to the manual effort required to do this for each email.

Just about two years ago, we launched Abnormal Intelligence—a research and data hub focused on providing insight into new and emerging cyber threats. Abnormal Intelligence is the home to our Attack Library, which is a list of some of the most unique and interesting attacks uncovered by Abnormal.

The Attack Library is updated several times a week, so we invite you to visit Abnormal Intelligence regularly to discover new threats, see the latest tactics, and ensure you’re prepared with the information you need to better protect your organization.

To see even more examples of sophisticated email attacks you should be aware of, download 5 Emerging Email Attacks to Watch For in 2024.