chat
expand_more

The Most Interesting Email Attacks We've Caught in 2024 (So Far)

Take a look at five of the most unique and sophisticated email attacks recently detected and stopped by Abnormal.
March 27, 2024

Every day the Abnormal platform detects and stops innumerable email attacks across our more than 2,000 customers. These malicious messages run the gamut from run-of-the-mill to staggeringly sophisticated, and it feels like the ones that fall into that latter category grow increasingly more impressive all the time.

To illustrate just how complex email threats have become in recent years, we’ve curated a list of five of the most interesting email attacks we’ve caught during the last few months.

Capital One Impersonator Creates Authentic-Looking Landing Page in Credential Phishing Attack

In this credential phishing attack, the threat actor attempted to take advantage of the fear related to the cyberattack that targeted Capital One customers in 2023. After spoofing an email account on the domain “idbuffet[.]com”, the attacker sent the target a notification that a hold had been placed on their bank account. To remove the hold, the recipient must review their account using the link embedded in the email. However, if the target clicked on the email, they were redirected to a phishing page.

Capital One Impersonator Email

The perpetrator of this attack incorporated Capital One branding into every aspect of the credential phishing attempt. At a basic level, they changed the sender display name to “Capital One” and included “Capital One” in the subject line. But what made the attack impressive was the mimicry of the Capital One branding in the email itself and, in particular, the phishing page, which was nearly indistinguishable from the real Capital One login page.

Capital One Impersonator Phishing Page

Malware Attack Features Impersonation of Attorney and Malicious Attachment Disguised as Subpoena

In this malware attack, the threat actor impersonated an attorney and sent the target a message regarding an ongoing court case. The only body content in the email was a short message requesting that the recipient view the attached document—purportedly a subpoena for documents. Unfortunately, the attachment was actually a malicious script that, if opened, would automatically download on the target’s computer and infect it with malware.

Malware Attack Impersonation Attorney Email

To increase the appearance of legitimacy, the attacker impersonated a real, practicing attorney at a Chicago-based firm that works with State Farm Insurance Companies. They also included the real email signature of the impersonated lawyer and used a sender display name of “Blake Jones” in an attempt to appear more authentic. Additionally, the threat actor spoofed the domain “gimnasiokaipore[.]com”, a legitimate domain that is nearly four years old, increasing the likelihood of the message bypassing legacy email security solutions.

Attacker Impersonates PayPal and Uses Spoofed Email on Legitimate Domain to Attempt Credential Theft

The threat actor in this credential phishing attack posed as PayPal and informed the target that due to a lack of response to a prior email regarding suspicious activity, their account had been limited. Included in the message were two links that the recipient could purportedly use to access the PayPal Resolution Center to fix the issue. But if the target clicked on either link and entered their login credentials, they were stolen by the attacker.

Pay Pal Impersonator Email

To bolster credibility, the threat actor included the PayPal logo and attempted to mirror official communications from PayPal. The attacker also created an Outlook account with the username “service.epaiypal” and set the sender display name as “Service@intl[.]paypal[.]com”. Many mobile email clients do not show full email headers, which means if the target viewed the email on their mobile device, they only saw the misleading sender display name. Additionally, using an email address hosted on a legitimate domain reduced the likelihood of the message being flagged as suspicious.

Attacker Uses Compromised Vendor Account to Hijack Conversation and Attempt Payment Fraud

The threat actor in this business email compromise attack hijacked an email thread between a vendor and a customer regarding an invoice payment. After inserting themselves into the conversation, the attacker first inquired about the date of the pending payment and then claimed the vendor’s usual bank account could not currently accept deposits. Once the target replied, the threat actor sent a nearly $900,000 fraudulent invoice along with the banking details for an alternate account to which the attacker requested the payment be sent. However, if the target transferred any funds to this new account, they would be stolen by the threat actor.

Compromised Vendor Payment Fraud Email

To deceive the target, the attacker utilized a look-alike domain that was remarkably similar to the vendor’s legitimate domain and even changed the addresses of the other parties from the impersonated company who were cc’d on the email to the look-alike domain. The threat actor also used a doctored version of a real invoice from the impersonated company to increase credibility and took the time to attach a Microsoft Excel spreadsheet with comprehensive wire transfer instructions.

Vendor Impersonation Attack Utilizes Salesforce Link in Attempt to Obtain Sensitive Information

In this credential phishing attack, the threat actor used a compromised email account to send a malicious file intended to steal sensitive information. After compromising the account of the Director of Operations at a contracting and construction service, the attacker sent the target an email with a Salesforce link embedded in the message, claiming it was a link to shared documents. But if the recipient clicked on the embedded link, an HTML file that is designed to steal sensitive information, including login credentials, would be automatically downloaded.

Vendor Impersonation Attack Salesforce Link Email

The attacker most likely registered for a free trial of Salesforce, which allowed them to access the platform and create the link. And because the attacker used a legitimate email account that had been compromised, the target would have no reason to believe the sender was anyone other than who they claimed to be. The combination of genuine Salesforce links and the real email account increases the likelihood the target will believe the email and its contents are safe and click on the malicious link.

Get Even More Insight into Emerging Attacks

A little over 18 months ago, we launched Abnormal Intelligence—a research and data hub focused on providing insight into new and emerging cyber threats. Abnormal Intelligence is the home to our Attack Library, which is a list of some of the most unique and interesting attacks uncovered by Abnormal.

The Attack Library is updated several times a week, so we invite you to visit Abnormal Intelligence regularly to discover new threats, see the latest tactics, and ensure you’re prepared with the information you need to better protect your organization.

The Most Interesting Email Attacks We've Caught in 2024 (So Far)

See Abnormal in Action

Get a Demo

Get the Latest Email Security Insights

Subscribe to our newsletter to receive updates on the latest attacks and new trends in the email threat landscape.

 

See the Abnormal Solution to the Email Security Problem

Protect your organization from the full spectrum of email attacks with Abnormal.

 
Integrates Insights Reporting 09 08 22

Related Posts

Social Images for next Cyber Savvy Blog
Explore how Alex Green, the CISO of Delta Dental, safeguards over 80 million customers against modern cyber threats, and gain valuable insights into the cybersecurity landscape.
Read More
B Images for EDB Blog from Sanjay
Abnormal is excited to announce the establishment of a strategic partnership with the Singapore Economic Development Board (EDB).
Read More
B Automotive Data Blog
Research reveals the automotive industry has become a popular target for business email compromise and vendor email compromise attacks. Learn why.
Read More
B QR Code Phishing Blog
QR code phishing is the newest iteration of phishing. Learn about the latest malicious initiative designed to evade organizational security measures and manipulate targets.
Read More
B Integrations
Discover how Abnormal's innovative platform integrations are providing customers with enhanced threat detection, efficient incident response, and more.
Read More
B Threat Hijacking Multi Persona Attacks Blog
Discover how threat actors are creating more sophisticated attacks utilizing lookalike domains and new personas, and learn how Abnormal can detect these attacks.
Read More