Attack Overview
Step 1: Phishing Email Impersonating a Colleague
The attack begins with an email that appears to come from a project manager or coworker. The message includes a Dropbox project reference and encourages the recipient to review shared documents by clicking a link.
- Email impersonates an internal contact or project manager.
- Mentions a Dropbox file related to an ongoing project.
- Link is labeled “Review Documents” and appears benign.
Step 2: AWS App Runner Phishing Page
Clicking the link leads to a fake webmail login page, hosted on AWS App Runner. The use of a legitimate cloud service lends credibility to the page while enabling credential harvesting.
- Hosted on AWS App Runner—a legitimate cloud service.
- Designed to mimic Microsoft or corporate webmail login pages.
- Collects email credentials if the target logs in.
How Does This Attack Bypass Email Defenses?
This email attack bypasses traditional security solutions for several reasons, including:
- Sent from a domain that passed SPF, DKIM, and DMARC checks.
- The phishing site is hosted on a legitimate AWS service.
- AWS App Runner supports anonymous public hosting, making takedown difficult.
How Did Abnormal Detect This Attack?
This attack was detected using AI and ML by analyzing various factors, including:
- Behavioral anomalies such as unusual sender activity.
- Language patterns inconsistent with standard workflows.
- NLP flagged urgency and project language as potential phishing indicators.
By recognizing established normal behavior and detecting these abnormal indicators, a modern email security solution has the ability to prevent this attack from reaching inboxes.
Please note the exact detection mechanism from Abnormal Security's system might include proprietary techniques and methodologies not disclosed here.
