In this credential phishing attack, the threat actor impersonates Adobe Acrobat Sign, Adobe’s e-signature software. Using a sender display name of “eSign” and an email address containing “adobesign” to appear more legitimate, the attacker sends the target a notification that their signature is required on an NDA for their employer. The email content is a convincing imitation of a real message sent using the Adobe Acrobat Sign platform and contains Adobe’s actual branding. If the recipient clicks the Review and sign button to view the document, they will be redirected to a fake Microsoft Office 365 login page that the attacker has branded with the target’s employer’s logo. Because the page is actually a phishing page, if the target attempts to log in with their Microsoft credentials to view the fake NDA, their information will likely be stolen. 

Older, legacy email security tools struggle to properly identify this email as an attack because it comes from an established domain, lacks attachments, and uses social engineering techniques to fool the target. Modern, AI-powered email security solutions flag the unknown sender and analyze the content and links to mark this email as an attack correctly.

Status Bar Dots
Feb16 Screenshot 1
Status Bar Dots
Feb16 Screenshot 2

The attacker creates a fake Microsoft Office 365 login page where credentials can be stolen.

How Does This Attack Bypass Email Defenses?

This email attack bypasses traditional security solutions for multiple reasons, including the following:

  • Domain Age: The sender's domain is >6 months old. Some legacy systems may not flag emails from older domains as suspicious, as they often focus on newly registered domains.
  • Lack of Attachments: The email does not contain any attachments. Legacy security tools often focus on scanning attachments for malware, so an attack within an email's body could bypass these checks.
  • Social Engineering: The email uses social engineering techniques, such as urgency and authority, to trick the recipient into taking action. These techniques are often effective at bypassing legacy security tools, which are not designed to detect this type of human-focused attack.

How Did Abnormal Detect This Attack?

This attack was detected using AI and ML by analyzing various factors, including the following:

  • Unknown Sender: Abnormal flags this email as coming from an unknown domain and email address that the target has never interacted with before and uses this information to identify potential phishing attempts.
  • Link Analysis: Abnormal analyzes all links in the email body. The system identified several links in this email, some of which were flagged as potentially malicious.
  • Content Analysis: Abnormal analyzes the content of the email, including the body text and subject line. The content of this email raised several red flags, such as the request for a signature on a document.

By recognizing established normal behavior and detecting these abnormal indicators, a modern email security solution has the ability to prevent this attack from reaching inboxes.

Please note the exact detection mechanism from Abnormal Security's system might include proprietary techniques and methodologies not disclosed here.

Analysis Overview




Credential Theft


Maliciously Registered Domain
Masked Phishing Link


Legal Matter
Fake Document

Impersonated Party


Impersonated Brands


See How Abnormal Stops Emerging Attacks

See a Demo