Today, we shed light on an email attack that impersonated Adobe, with a focus on Adobe Acrobat. This attack bypassed native Microsoft 365 email security, and would have landed in the inboxes of more than 2,300 end users if not successfully detected and stopped by Armorblox.
In 2022, brand impersonation attacks increased 74%, as stated in a recent study by the Armorblox Research Team. These attacks aim to deceive users by posing as reputable companies, in an attempt to gain unauthorized access to sensitive information.
Today, we shed light on an email attack that specifically impersonated Adobe, with a focus on Adobe Acrobat. This brand impersonation attack bypassed native Microsoft 365 email security, and would have landed in the inboxes of more than 2,300 end users if not successfully detected and stopped by Armorblox – thanks to our language-based, GPT-powered email security software.
Summary
Mailboxes: More than 2,300 mailboxes
Target: An established firm of legal practitioners within the legal service industry
Email security bypassed: Native Microsoft 365 Email Security
Techniques used: Social engineering, brand impersonation, trusted website hosting platform / extension
The Email
The bad actor targeted unsuspecting victims with this socially engineered email attack compromising a business workflow commonly seen across law firms - sending through legal documents. The language used within the subject of the email, [EXT] Closing Disclosure Documents, instilled in the recipient a level of trust that the contents of this email contained information as a follow-up to a previous conversation or request.
Fig 1: Screenshot of socially engineered email attack
This attack was sent from a compromised third-party account, likely targeting an end user that is frequently in communication with this trusted contact. It is unlikely that the compromised account owner or the unsuspecting victim knew the account was compromised, meaning this email has a higher chance of being opened by the recipient. The bad actor further encourages unsuspecting victims to think this email is a legitimate email communication by mimicking a common business workflow sent between similar vendor contacts and the target organization. The contents of the email contained a brief message and a link to the document needing the recipient’s review. Additionally, the bad actor copied/pasted the signature as well as the privacy statement commonly used by the compromised account owner when sending email communications (sensitive information has been obscured for privacy reasons).
The Phishing Page
Upon unsuspecting victims clicking the hyperlink text within the body of the email, Closing_Disclosure, they were navigated to a landing page that looks like an Adobe File Sharing welcome page. With clear Adobe branding through the inclusion of a branded header, unsuspecting victims were welcomed with concise messaging confirming the language used within the targeted email attack: your contact has just shared a file with you … use the link below to access … This landing page also included file sharing policy-like language, ensuring that only the legal recipients of this document will have access.
Further trust is instilled in the victims that this message was intended for their view when clicking the link (View Document Here) works, and they are navigated to yet another branded landing page. Using InMotion Hosting, the bad actor created a legitimate, but spoofed, landing page in order to create what seems to be a landing page for Adobe File Sharing. The inclusion of the legitimate Adobe File Sharing logo brings a sense of trust that this landing page is used for the exact purpose that unsuspecting victims are being navigated here for, with the intention of extracting sensitive user credentials across all main native email security: Microsoft 365, Microsoft Outlook, and others.
Upon further inspection of this fake landing page, one can notice many inconsistencies with what one would expect a true Adobe Acrobat landing page to have. Outside of the use of a legitimate Adobe Acrobat logo inclusion (specifically Adobe Acrobat Reader logo), the use of ‘Adobe Shared File’ is inconsistent with the proper naming convention that Adobe uses for this tool.
Furthermore, the bad actor included a visually-pleasing video instead of a static background for this fake landing page. This heavily, Adobe-branded video adds to the credibility bad actors are looking to instill in fake landing pages, putting the impersonated brand front and center; plus the motion graphic can aid in properly distracting unsuspecting victims from the nuances stated above seen within this fake landing page.
The Power of Armorblox
The attackers behind this sophisticated campaign employed a clever technique to bypass native Microsoft 365 email security, a widely used platform for email communications. By impersonating Adobe, a renowned software company known for its industry-leading applications, they sought to exploit the trust users place in this brand. Specifically targeting Adobe Acrobat, a popular tool for handling PDF files, the attackers aimed to trick users into willingly disclosing their login credentials in order to view the awaiting document.
The bad actor utilized/manipulated a legitimate domain in order to send this targeted email attack, passing email authentication checks (DMARC, DKIM, SPF). The email attack used language as the main attack vector in order to bypass legacy security layers without raising flags. Although this email included a link, native email tools can only detect known bad URLs, resulting in this targeted attack that contained an unknown bad URL successfully bypassing these security checks (with Microsoft assigning an SCL score of -1).
This email attack had the potential of being delivered to over 2,300 end users’ inboxes if this targeted organization had only relied on native email security for protection against targeted, socially engineered attacks. Fortunately, these end users are protected by Armorblox, who accurately detected this malicious, socially engineered email attack.
This email attack was sent from a compromised account, which provided this email the legitimacy needed to bypass native email defenses. Armorblox detected this targeted attack prior to it landing in the inboxes of end users. Armorblox uses large language models, like GPT, and natural language understanding (NLU) to determine the content and context of email communications. This precise detection provides organizations the protection needed against malicious emails sent from compromised accounts. Armorblox follows all URLs to the final destination to understand the content and threat to the end user, which allowed Armorblox to accurately identify the bad URL within the body of the email and protected end users from the credential phishing links that hid behind layers of landing pages created on legitimate hosting domains.
With this targeted email attack, bad actors managed to circumvent the built-in defenses of Microsoft 365 Email Security, but not Armorblox. Armorblox analysis of this email flagged the sender due to zero emails being sent between the sender and recipient prior, and correctly detected the inclusion of a malicious link within the body of the email (which Microsoft detections missed). With Armorblox Advanced URL Detection, end users are protected from engaging with zero-day and unknown malicious links and safely redirected from bad URLs. Armorblox language-based detection protected these end users from engaging with this malicious attack, providing the sophisticated protection needed against today’s targeted, socially engineered email attacks.
