chat
expand_more

Email Threat Roundup: 5 Sophisticated Attacks Recently Stopped by Abnormal

In the second installment of our quarterly look-back at malicious emails, we examine 5 more recent noteworthy attacks detected and stopped by Abnormal.
June 27, 2024

As a security solutions provider at the forefront of the attack landscape, Abnormal has the rare opportunity to see firsthand the seemingly infinite ways that email threats are evolving. It seems as if new strategies spring up almost daily—making it increasingly difficult for security leaders to know what to tell their employees to look out for.

To help provide insight into the latest malicious tactics, we’ve begun posting quarterly roundups of some of the most unique and sophisticated email attacks recently detected and stopped by Abnormal. (You can read the first installment here.)

In this second post, we’re examining five more attacks that feature likely AI-generated content, convincing impersonations of some of the biggest global brands, and more.

Attacker Impersonates American Express to Trick Targets into Downloading Malware in Password Reset Scam

Attack Summary

The perpetrator of this malware attack impersonates American Express and emails the target a notification that their password has been changed. The message informs the recipient that if they did not initiate this reset, they should immediately download the attached “encrypted secure document” titled "AmericanExpress_SecureFile[.]html" to restore their account access.

However, this HTML attachment likely contains malware designed to install malicious software, which the attacker can then utilize to compromise the target’s device and/or steal personal information.

Q2 2024 Attacks Amex Impersonation Email F

Malware attack featuring impersonation of American Express

Attack Analysis

What makes this malware attack effective is the manufactured sense of urgency and the exploitation of trust in a known brand.

The attacker incorporated multiple elements of American Express’ official branding and set the sender display name to “American Express.” They also used the email address “americanexpresssecure@send[.]com,” which, at first glance, appears genuine. The perpetrator even included American Express’ boilerplate disclaimer that warns recipients about sending private information via digital channels.

Likely AI-Generated Phishing Attack Uses Compromised Email Account to Impersonate Australia and New Zealand Banking Group

Attack Summary

In this likely AI-generated phishing attack, the threat actor pretends to be the Australia and New Zealand Banking Group (ANZ) and attempts to deceive targets with a fraudulent security notice. Claiming that new security measures have been introduced to better protect the account holder's financial information, it directs the recipient to click on a button labeled "Secure Your Account", purportedly to apply these updates.

While the link is hosted on a seemingly innocuous domain, "https://fressveggies[.]com," it is, in fact, a phishing site designed to trick the target into providing sensitive data.

Q2 2024 Attacks ANZ Impersonation Email F

Attempted credential theft in which attacker posed as Australia and New Zealand Banking Group (ANZ)

Attack Analysis

Unlike the American Express impersonation attack which seeks to manipulate targets by claiming their account is actively at risk of unauthorized access, this malicious email takes a less urgent approach. The benefit of this strategy is that it may arouse less suspicion in targets, while still compelling them to act relatively quickly since the matter is related to their bank account.

From a technical standpoint, the attacker uses a real, compromised email address belonging to an employee at an unrelated third party to increase the likelihood of the email being successfully delivered.

Threat Actor Masquerades as Amazon Web Services Offering $300 Credit in Phishing Attack

Attack Summary

The threat actor in this phishing attack poses as Amazon Web Services (AWS) and emails the target regarding a possible credit for their AWS account. The message claims that the recipient may be eligible for a $300 AWS credit and invites them to apply using the embedded link.

However, if the target clicks the "Apply for $300 AWS Credit" button, they will be redirected to a page designed to steal sensitive information, such as login credentials or payment details.

Q2 2024 Attacks AWS Impersonation Email F

Credential phishing attack featuring impersonation of Amazon Web Services (AWS)

Attack Analysis

To increase the appearance of legitimacy, the perpetrator of this attack sets the sender display name as "Amazon Services" and convincingly incorporates AWS branding into the email content. Additionally, they include real links to Amazon pages, which allows the email to bypass simple link verification checks utilized by traditional security tools.

Similar to the American Express impersonation attack, the threat actor also opts to include AWS' boilerplate disclaimer that warns recipients against clicking links in suspicious emails, further enhancing the semblance of authenticity.

Coinbase Impersonator Creates Fake Landing Page in Multi-Step Likely AI-Generated Phishing Attack

Attack Summary

This multi-step, likely AI-generated phishing attack features an impersonation of Coinbase, one of the largest cryptocurrency exchanges in the world. The email explains that, due to suspicious activity, Coinbase is temporarily blocking access to the target's account. To avoid forfeiture of their funds, the recipient is invited to withdraw their tokens using the provided links.

If the target clicks either button labeled “Withdraw All Tokens Now”, they're taken to a landing page resembling Coinbase's wallet dashboard.

Q2 2024 Attacks Coinbase Impersonation Email F

Malicious email impersonating Coinbase that contains likely AI-generated content

In reality, the "dashboard" is a cleverly designed phishing page, crafted to trick the target into entering their cryptocurrency wallet address or Coinbase login credentials. With this information, the attacker can access their real Coinbase account or crypto wallets and fraudulently transfer funds.

Q2 2024 Attacks Coinbase Impersonation Phishing Page F

Phishing page designed to mimic legitimate Coinbase dashboard

Attack Analysis

The malicious email used in this attack is certainly noteworthy, as it believably imitates Coinbase’s official branding, is sent from an address that includes “coinbase-withdrawals”, and also lacks the telltale signs of a phishing email—e.g., misspellings, grammatical errors, and issues with syntax. Additionally, the use of an email address hosted on a well-established domain from a reputable company enables it to pass several simple security checks, such as those utilized by legacy solutions.

But what makes this attack stand out is the impressively designed phishing page that closely resembles Coinbase’s actual website. The level of detail the perpetrators achieved would make it particularly difficult for the average individual to recognize that the page is a counterfeit.

Likely AI-Generated Vishing Attack Leverages Impersonation of Peacock and Fake Subscription Confirmation

Attack Summary

In this multi-stage vishing attack, the threat actor impersonates the streaming service Peacock and uses likely AI-generated content to send the target a notification that their new monthly subscription will be activated within 24 hours. The message details the automatic renewal of the subscription and prompts the recipient to check an attached invoice for further information.

Q2 2024 Attacks Peacock Impersonation Email F

Fake subscription confirmation email purportedly sent from Peacock

The goal of the attack is to deceive the target into believing they have an unauthorized pending charge and compel them to call the "customer support service" number on the invoice to cancel the subscription. Should they call, the threat actor will initiate the second stage of the attack, in which the perpetrator will attempt to convince the target to reveal sensitive information or unknowingly download malware.

Q2 2024 Attacks Peacock Impersonation Invoice F

Fraudulent invoice personalized with target’s name and email address

Attack Analysis

What sets this attack apart is the level of personalization employed by the perpetrator, making it difficult for traditional security solutions and even vigilant individuals to identify it as malicious.

The threat actor incorporated Peacock’s branding into the email and invoice, while also personalizing the subject line and greeting of each email to the individual recipient. They even used the target’s name in the PDF filename and within the content of the bogus invoice, which is an unusual tactic due to the manual effort required to do this for each email.

Get Even More Insight into Emerging Attacks

Just about two years ago, we launched Abnormal Intelligence—a research and data hub focused on providing insight into new and emerging cyber threats. Abnormal Intelligence is the home to our Attack Library, which is a list of some of the most unique and interesting attacks uncovered by Abnormal.

The Attack Library is updated several times a week, so we invite you to visit Abnormal Intelligence regularly to discover new threats, see the latest tactics, and ensure you’re prepared with the information you need to better protect your organization.

To see even more examples of sophisticated email attacks you should be aware of, download 5 Emerging Email Attacks to Watch For in 2024.

Get the Report
Email Threat Roundup: 5 Sophisticated Attacks Recently Stopped by Abnormal

See Abnormal in Action

Get a Demo

Get the Latest Email Security Insights

Subscribe to our newsletter to receive updates on the latest attacks and new trends in the email threat landscape.

Get AI Protection for Your Human Interactions

Protect your organization from socially-engineered email attacks that target human behavior.
Request a Demo
Request a Demo

Related Posts

B Proofpoint Customer Story Blog 8
A Fortune 500 transportation and logistics leader blocked more than 6,700 attacks missed by Proofpoint and reclaimed 350 SOC hours per month by adding Abnormal to its security stack.
Read More
B Gartner MQ 2024 Announcement Blog
Abnormal Security was named a Leader in the 2024 Gartner Magic Quadrant for Email Security Platforms and positioned furthest for Completeness of Vision.
Read More
B Gift Card Scams Tricker to Spot Blog
Learn why gift card scams are becoming more difficult to identify, how cybercriminals evolve their tactics, and strategies to protect your organization.
Read More
B Offensive AI 12 16 24
Learn how AI is used in cybersecurity, what defensive AI vs. offensive AI means, and how to use defensive AI to combat offensive AI.
Read More
B Proofpoint Customer Story Blog 7
See how Abnormal's AI helped a Fortune 500 insurance provider detect 27,847 threats missed by Proofpoint and save 6,600+ hours in employee productivity.
Read More
B Cyberattack Forecast Emerging Threats Blog
Uncover the latest email threats and strategies to strengthen your cybersecurity and prepare for 2025.
Read More