Attack Overview

Step 1: Phishing Email Posing as HR Update

The attacker impersonates the internal HR department and sends an email about an updated employee benefits handbook.

Status Bar Dots
Attack Library Repo 22 27 20 May Image 1
  • Appears to come from an internal HR email address.
  • Language references benefits update.
  • Includes personalized greeting using recipient’s name.

Step 2: Malicious Attachment Contains QR Code

The email includes a Word document attachment labeled as the updated benefits handbook, containing a QR code.

Status Bar Dots
Attack Library Repo 22 27 20 May Image 2
  • Attached document is macro-free to avoid detection.
  • QR code is embedded directly in the file.
  • Scanning the code leads to an external site.

Step 3: Fake Microsoft Login Page with Cloudflare Turnstile

The QR code directs the user to a credential phishing site. The page mimics a Microsoft login prompt and includes a Cloudflare Turnstile to enhance perceived legitimacy.

Status Bar Dots
Attack Library Repo 22 27 20 May Image 3
  • Cloudflare Turnstile on landing page delays detection and enhances realism.
  • Site branding closely mimics Microsoft.
  • Site harvests login credentials if submitted.

How Does This Attack Bypass Email Defenses?

This email attack bypasses traditional security solutions for several reasons, including:

  • File is a benign Word document without macros.
  • QR code conceals the final phishing destination from link scanners.
  • Language and sender appear consistent with HR updates.

How Did Abnormal Detect This Attack?

This attack was detected using AI and ML by analyzing various factors, including:

  • Abnormal sender behavior and a new sender-recipient relationship.
  • Thematic content and urgency around HR messaging.
  • Behavioral analysis triggered based on delivery patterns and uncommon attachments.

By recognizing established normal behavior and detecting these abnormal indicators, a modern email security solution has the ability to prevent this attack from reaching inboxes.

Please note the exact detection mechanism from Abnormal Security's system might include proprietary techniques and methodologies not disclosed here.

Analysis Overview

Type

Credential Phishing

Vector

Link-based

Goal

Credential Theft

Theme

Fake Document
Employee Benefits
Human Resources Announcement

Impersonated Party

Employee - Other

See How Abnormal Stops Emerging Attacks

See a Demo