Phishing Delivery: Attackers compromised a vendor account to distribute confidential documents via Whimsical, embedding a phishing link mimicking the Office 365 login page. When the recipient couldn’t access the document, they asked the attacker for an alternative method.
Adaptive Phishing: When Whimsical Fails, Lucid Strikes
Pivoting attack delivery to bypass users and SEGs, leading to ATO.
What is the attack?
Adaptable Tactics: The attacker pivoted to Lucid, another design platform, to re-send the phishing link, making the attack seem more legitimate and increasing the likelihood of engagement.
ATO: Using stolen credentials, the attacker accessed the account from a VPN to evade geolocation-based detection and conducted typical BEC activities.
Why did it get through?
Verified Source: Email sent from a trusted compromised vendor domain passing sender authentication checks.
Trusted Cloud Platform: By hosting the malicious link within a Whimsical and Lucid, attackers exploited the platform's reputation as a legitimate tool used widely by design and business teams.
URL Crawling/Analysis Protection: The added Captcha functionality limits automated link crawling and URL analysis features, increasing the difficulty for automated detection.
What is required to solve for this attack?
Behavioral Analysis: Abnormal’s Behavioral AI flags never-before-seen senders, unusual email content, URLs, and user sign-ins as anomalies that enable the detection of novel attacks.
Content Analysis and Natural Language Processing: Abnormal understands the email's content, recognizing the urgency and financial implications as indicators of a financial themed attack.