Use Case: Credential Phishing

Discover how Abnormal protects your users from phishing links that aim to steal account credentials.

Watch the video to see a real credential phishing attack detected by Abnormal.

Video Transcript

Let's take a look at an example that we, and likely you, are seeing quite frequently: credential phishing attacks. As a reminder, all the attacks that you see within our environment are real attacks with the customer data anonymized.

In this attack example, we see an email that looks to be coming from Zoom, stating to our recipient that they've missed a scheduled Zoom meeting. For their convenience, there is a quick link for them to click on to join that meeting that's in progress.

If we take a closer look at the sender, we see that the sender name is Zoom Meeting, but the actual sender email is coming from this pkf[.]com, a likely compromised domain and sender here. Since this is appearing to be a legitimate domain, it is likely going to pass all of the traditional sender authentication methods like SPF, DKIM, and DMARC.

We see that there are no attachments in this email, but there is one link. In this case, the threat actor created the link with a different display text and destination URL. So the display text appears to be this legitimate zoom[.]app URL, but where the recipient actually would've been taken is to this app[.]link URL. Now, app[.]link is a legitimate service that's going to pass your threat intelligence lookups, but it can be used to redirect or even host malicious content.

All of these indicators combined make this a very difficult or near impossible attack for traditional security email security providers to detect. So how is Abnormal able to uniquely detect this attack?

First of all, we see that this is an unusual sender. The sender is using language that's attempting to engage, but we've never seen this email address zoommeeting@pkf[.]com sending to our organization. Next, we see some abnormal content in this email in the actual HTML. We're seeing some text and spaces with zero size, meaning that there are some zero-font text or zero-width spaces within this email. This is a very common way for threat actors to obfuscate and change what the scanning technologies are using to detect these attacks.

Next, we see this unusual IP geolocation. In this case, we've seen emails from pkf.com but never being sent from Bulgaria. And lastly, we see this suspicious link. I showed you that the display text of this URL did not match the destination URL, which is a huge indicator for us.

Based on all of these indicators, we are able to accurately identify this email to be credential phishing. We would automatically remediate this so it's never accessible to the end user.

Want to know more? Request your personalized demo today.


Use Case: Credential Phishing

See Abnormal in Action

Schedule a Demo
 

See the Abnormal Solution to the Email Security Problem

Protect your organization from the full spectrum of email attacks with Abnormal.

See a Demo
 
Integrates Insights Reporting 09 08 22

Related Resources

Abnormal Landscape
See how Abnormal is working to make the cloud a safer place for business by protecting against all types of attacks across all types of cloud applications.
Watch Now
B TAG Cyber
Download the white paper to discover how to better secure your cloud email environment and choose the right security solutions provider.
Read More
B ESG
New survey reveals the latest trends shaping communication and collaboration application security.
Read More
B 1500x1500 Choice Hotels Bright Talk Demo Day L1 R1
Discover how Choice Hotels is simplifying their email security, streamlining their operations, and preventing email attacks with the highest efficacy.
Watch Now
B 05 01 23 MKT279 New Slack Data Sheet
Secure your messages and keep Slack from becoming an entry point for attackers.
Read More
B 05 02 23 MKT283 New Zoom Solution Brief
Protect your Zoom collaboration and prevent attackers from using the application to breach your business.
Read More
B Email Like SPM
Monitor high-impact changes to user privileges across collaboration apps with Email-Like Security Posture Management.
Read More
B Email Like Messaging Security
Detect malicious message content across collaboration apps with Email-Like Messaging Security.
Read More
B Email Like ATO
Detect compromised user accounts across your critical communication channels with Email-Like Account Takeover Protection.
Read More