In this credential phishing attack, the threat actor impersonates shipping provider DHL and emails the recipient a failed delivery notification. After spoofing an email address hosted on the domain of a legitimate, Brazil-based telecommunications provider, the attacker sends the target an email claiming that their package could not be delivered because the sender failed to pay the necessary fees. To increase the appearance of legitimacy, the perpetrator convincingly incorporates DHL’s branding into both the initial email as well as the phishing pages. The recipient is prompted to use the included link to confirm their address and submit payment for the outstanding charges. However, should the target click on the embedded button, they will be redirected to a phishing page—also hosted on the Brazilian telecommunications provider’s website—designed to steal sensitive information, including credit card details.
Older, legacy email security tools struggle to accurately identify this email as an attack because it appears to originate from a seemingly legitimate email address, employs sophisticated social engineering techniques, and lacks malicious attachments. Modern, AI-powered email security solutions recognize the spoofed sender address, detect suspicious links in the message, and analyze the content to correctly flag this email as an attack.
Malicious email impersonating DHL and attempting to manipulate recipient using social engineering
Phishing site convincingly mimicking DHL’s branding
Penultimate page of the phishing site, designed to steal target’s personal information
Last page in the phishing site, designed to steal target’s credit card information
How Does This Attack Bypass Email Defenses?
This email attack bypasses traditional security solutions for multiple reasons, including the following:
- Spoofed Email Address: The attacker uses a spoofed email address "noreply@grupofonelight[.]com.br" that adds a layer of perceived authenticity and can allow the message to bypass basic email verification checks.
- Social Engineering Tactic: The email attempts to prompt immediate action without scrutiny by manufacturing a sense of urgency related to the failed package delivery.
- Absence of Malicious Attachments: By not including suspicious attachments, the email avoids detection by antivirus and anti-malware systems focused on attachment-based threats.
How Did Abnormal Detect This Attack?
This attack was detected using AI and ML by analyzing various factors, including the following:
- Spoofed Email Detection: Abnormal detects that the email is sent from a spoofed address, which contributes to the suspicious nature of the message and triggers further analysis.
- Suspicious Link Analysis: The link directing the recipient to confirm the shipment and pay fees raises suspicion, prompting Abnormal’s systems to scrutinize and flag the email for potential malicious activities.
- Content Analysis: Abnormal’s advanced content analysis algorithms flag the urgent message about unpaid fees and delayed delivery as a common phishing tactic.
By recognizing established normal behavior and detecting these abnormal indicators, a modern email security solution has the ability to prevent this attack from reaching inboxes.
Please note the exact detection mechanism from Abnormal Security's system might include proprietary techniques and methodologies not disclosed here.
