Use Case: Credential Phishing

Abnormal can identify and block phishing attacks that use malicious links or attachments to steal credentials. Credential phishing attacks are extremely common, but at the same time, they can be hard to detect.

This is a perfect example of a credential phishing attack. An individual posing as a known entity emailed the recipient, claiming they missed a meeting. To make it easier, the recipient can click on the link provided to access a meeting recording. While this looks like an email from a legitimate account, if we take a closer look, we can see that the actual sender originates from a different domain.

This email contains what appears to be a Zoom link, but the display text was modified to hide the actual link. This link will send the user to this unknown domain, where they will be prompted to enter their credentials to access the meeting recording.

So how was Abnormal able to detect this type of attack?

The solution can identify the topic, tone, and more from email content. For this particular message, we understand that the email is trying to engage with the user, but we have rarely ever seen this sender before. Attackers are also using a common attack technique called, ZeroFont. This method involves the use of HTML to reduce the font size of certain words to 0, rendering these invisible to the user, but not to traditional security solutions, which will read a seemingly random string of characters that bypass security filters.

Because Abnormal understands every communication within and between your organization, it identified an unusual geolocation for this particular domain, and the recipient has never received email messages from this location.

And last, as noted before, a combination of factors, like the modified display text and unusual domain, caused the solution to flag the link as suspicious. Using these and other signals, the solution concluded that this message was malicious and automatically remediated, eliminating the possibility of engagement by the recipient.