Skip to main content
Abnormal Intelligence

Business Email Compromise

Internal Account Takeover Leads to Lateral Phishing via Wix-Hosted Data Collection Form

An attacker uses a compromised internal account to send a link to a Wix-hosted form that harvests sensitive information from coworkers.

December 23, 2024

Attack Target Summary

Attack Overview

Step 1: Email

This attack begins with a successful account takeover. Using that compromised account, the attacker sends a phishing email to coworkers within the same organization, making the message appear internal and trustworthy.

Attack Library Repo 5 29 Nov Image 1
  • Sent from a verified internal account.
  • Message appears routine and business-relevant.
  • Includes a link to a web form hosted externally.

Step 2: Phishing Form Hosted on Wix

Targets who click the PandaDoc link find a blank or non-functional document. The attacker uses this as a social engineering trick to direct them to manually open the Dropbox link.

Attack Library Repo 5 29 Nov Image 2 Attack Library Repo 5 29 Nov Image 3
  • Hosted on a legitimate cloud web design platform (Wix).
  • Form asks for names, phone numbers, passphrases, and birthdates.
  • No overt signs of malicious intent, adding to its deception.

Step 3: Dropbox + Credential Harvesting Page

Attack Library Repo 17 25 Mar Image 3

Step 4: Final Destination (Spoofed Microsoft Login)

Attack Library Threat Actors Exploit Docusign 6 Nov Portal

How Does This Attack Bypass Email Defenses?

This email attack bypasses traditional security solutions for several reasons, including:

  • Originated from a domain that passed authentication checks.
  • Was sent internally, bypassing external threat filters.
  • Used a legitimate hosting platform to avoid raising suspicion.

How Did Abnormal Detect This Attack?

This attack was detected using AI and ML by analyzing various factors, including:

  • Unusual internal communication patterns.
  • NLP analysis of the form’s solicitation language.
  • Sender behavior inconsistent with typical usage patterns.

By recognizing established normal behavior and detecting these abnormal indicators, a modern email security solution has the ability to prevent this attack from reaching inboxes.

Please note the exact detection mechanism from Abnormal Security's system might include proprietary techniques and methodologies not disclosed here.

Classification

Business Email CompromiseLink-basedEmployee - OtherCredential Theft

Stop these attacks at your organization

See how Abnormal's behavioral AI detects the threats this digest covers — before they reach inboxes.