SEGs that rely on allow or blocklists are playing an ever-increasing catchup game when it comes to catching phishing emails. This phishing campaign shows us the results of that misguided security approach. Mimecast missed these emails because they are very simple: they hardly have any text, the attachment is a seemingly harmless word doc with no macros; the links they do have are to trusted domains, and the sender address/domain is not on any known block list.

Here's what the email looks like:

 

The attachment starts off pretty tame as it recaps some recent events related to the COVID-19 recovery efforts by the United Nations and the United States.

 

The second page is where the attacker hopes to phish the victim into giving up sensitive information.

 

These attacks are targeting the more unsophisticated end-users. Should an end-user provide this information, it will only be the beginning. They will be bombarded with emails, texts and snail mail, as their information is sold on every attacker marketplace.

Even though it looks like clear spam, it's important to remember it sailed past Mimecast. Using Avanan’s sophisticated NLP security solution, Avanan’s AI is able to detect the financial traps the attackers have laid out in the email’s attachment.

 

Subscribe to Our Attack Briefs for More Research