Because of the rise of invoice related phishing emails, many security vendors have resorted to treating emails with the word “invoice” in the subject/body/attachment(s) with higher scrutiny and this has lead to attackers beginning to use synonyms to get their targets to load email attachments.
This email, missed by ATP, uses "advice" instead of invoice to get through to the inbox. This is what it looks like:
The attacker used obfuscation attempts by sending a PNG file above the body of the email that had a malicious website as the hyperlink. This was particularly clever because the PNG image resembled an Outlook PDF attachment. Naturally, the victim will recognize that because they have seen thousands of PDF attachments sent to them via Outlook before and therefore they will not hesitate to click on the image as an attempt to download the attachment only to be redirected to a malicious website for a credential harvesting attack.
Avanan uses a sophisticated approach to catching phishing emails; therefore, the use of keywords only serves as an additional layer on top of our base detection mechanisms. The following email was caught by Avanan because of our strong understanding of the organization’s correspondence history as well as analysis of the image in the email.