Credential phishing attempt impersonating Charles Schwab to steal login credentials and two-factor code.

Sublime’s Attack Spotlight series is designed to keep you informed of the email threat landscape by showing you real, in-the-wild attack samples, describing adversary tactics and techniques, and explaining how they’re detected.

EMAIL PROVIDER: Google Workspace

ATTACK TYPE: Credential Phishing, Brand Impersonation

The attack

As phishing attempts evolve, so do their bells and whistles. Modern attacks typically include redirection through CAPTCHA and convincing login pages. In a recent Charles Schwab credential phishing attempt that Sublime prevented, we saw the use of 2FA as part of the authentication process. Here’s the how the attack works:

  • The target receives a fake Charles Schwab notification email. The email states that they are a victim of fraud.
  • When they click Review Now to learn more about the fraud, they are sent through a fake Cloudflare browser challenge and then to a fake Schwab login.
  • The target enters their account login information, starting the credential harvesting process.
  • After entering their account login information, they are then prompted for their phone number for 2FA.
  • After the target supplies the phone number, the attacker uses the number in the real Schwab login to trigger a legitimate authentication SMS to the target.
  • Once the target receives the code via SMS or phone call, they enter the code into the fake login. The attacker will collect this authentication code and complete the login on their end.
Email impersonating a notification from Charles Schwab
Fake Cloudflare browser challenge with manual Proceed button
Realistic Schwab login page
Phone number prompt for 2FA
2FA validation pop-up

Detection signals

Sublime's AI-powered detection engine prevented this attack. The top signals in these attacks are:

  • Suspicious sender: The sender domain's TLD ends in ".jp", which is commonly abused to conduct attacks.
  • Credential theft: Language in the message appears to engage the user in order to steal credentials.
  • Unusual sender domain: The sender's domain doesn't match any link domains found in the body of the message.

Additionally, the Sublime Core Feed contains a wide and growing range of brand impersonation Detection Rules, including Charles Schwab.

Prevent credential phishing with Sublime

Sublime detects and prevents credential phishing, brand impersonation, and other email-based threats.  Start your free account today, managed or self-managed, for out-of-the-box coverage for these types of attacks with the ability to customize their handling for your environment.

Read more Attack Spotlights:

About the Author

About the Authors

Author headshot

Aiden Mitchell

Detection

Aiden is a Threat Detection Engineer at Sublime. Drawing from early IT experiences, they bring a human-centered approach to mitigating devastating email attacks. They protect individuals and enterprises understanding that every threat puts a real person at risk.

Get the latest

Sublime releases, detections, blogs, events, and more directly to your inbox.

You're now subscribed. Expect a monthly email from us in your inbox.
Oops! Something went wrong while submitting the form.