Security researchers have discovered a new credential phishing attack disguised as an email message from Bank of America

The message, discovered by cloud security firm Armorblox, tricks users into providing email addresses and passwords for online bank accounts

Users were told that inactive email addresses would be recycled unless they updated and confirmed their bank details via an online portal

"The email claimed to come from Bank of America and asked readers to update their email addresses," wrote Armorblox co-founder and architect Chetan Anand in a blog post

"Upon clicking on the link, the target was taken to a credential phishing page that resembled the Bank of America home page and was designed to force the target to enter their account credentials

Anand explained that the malicious message bypassed email security controls and did not follow more traditional phishing attack tactics

First, cyber fraudsters refrained from sending mass emails and instead used "spear phishing" tactics Because the messages were sent to a select group of people, they were able to slip through email filters

The message originated from a personal Yahoo account named "Bank of America," but because it was sent via SendGrid, it did not fall through authentication checks such as SPF, DKIM, or DMARC

According to Anand, recipients were also fooled by the zero-day link and the convincing look-alike site: "The attacker created a new domain for the link in this email attack, so it got past the filter that was created to block known malicious links

"The final credential phishing page was painstakingly crafted to resemble the Bank of America login page The page's superficial legitimacy would pass the visual test of most busy readers who want to "update their email address" as soon as possible and then get on with other business

However, a closer look at the email message clearly shows that it was not sent by Bank of America

Also, after providing account information to the phishing page, users were asked to answer three security challenge questions

The phishing page appears more legitimate because Bank of America also asks security questions upon login by default

Like a good example of social engineering, this email message uses psychological tactics to persuade people to provide legitimate credentials

Anand says: "The wording and topic of the email was intended to induce urgency in the reader due to its financial nature Asking readers to update their bank e-mail accounts so that they are not recycled is a powerful incentive for anyone to click on the URL and do so

If you receive such an email, do not reply directly Instead, call Bank of America and ask if they sent the email

Speaking to Tom's Guide, Anand said: "With the enforcement of single sign-on and 2FA across organizations, adversaries are now launching email attacks to bypass these measures This credential phishing attack is a good example [First, the attack phishes for Bank of America credentials Second, it phishes responses to security challenge questions

"Asking security challenge questions not only legitimizes the attack, but also provides the adversary with important personal information about the target