Over the last three days, we have seen over 800 phishing emails sent to 11 different clients that try and leverage language that is normally used by physical or online scanners.
These types of phishing email is in no way new; we have been seeing scanner impersonation attempts for years. Avanan first started catching these emails using ML and AI; however, now that this exact format has been seen so many times (with slight changes), even an unsophisticated solution should be able to catch these attacks.
In the example below, we see that the attackers are targeting an email group instead of specific users because that way they will make it into multiple users’ mailboxes. Here's what the email, missed by ATP, looks like:
At the time of writing this blog, the webpage this attack email loads via the attachment is unavailable and the history of the webpage shows high traffic, but not a lot of activity which tells us that this webpage’s attack payload has not yet been made live by the attackers. This is a clever strategy by the attackers to first ensure that their email has made it into a significant number of mailboxes and only then make the malicious payload live. This way the attack email bypasses any security vendors that only scan a URL at the time of delivery. Avanan offers ClickTime protection which scans URLs at the moment a user clicks on the link— if the scan shows malicious code being executed, the user is presented with a block page and if the scans show nothing suspicious, the user is taken to the webpage as normal. So no matter when attackers choose to take a link live, Avanan’s customers will be protected while also being safe from static rule-based URL filtering that causes a lot of false positives.