In this credential phishing attack, the threat actor impersonates AT&T Mail (also known as “Currently, from AT&T”) and informs the recipient that the version of AT&T Mail they are using is about to expire. If the recipient doesn’t update their account to the latest version and accept the updated terms using the provided link, they will lose access to their inbox.

The attacker incorporates “attnet” into their email address and uses a sender display name of “AT&T Email Admin Service” in an attempt to increase the appearance of legitimacy. The link embedded in the message directs the target to a Google Slides presentation, which is branded with the AT&T logo and contains another link with the CTA “Click here to update.” If the target clicks on the link in the slide, they are redirected to a fraudulent AT&T Mail/Currently, from AT&T login page designed to steal sensitive information.

Older, legacy security tools have difficulty properly identifying this email as an attack because it contains no attachments, is sent from an unknown sender with whom the recipient has not previously interacted, and links to a file hosted on a legitimate domain (docs[.]google[.]com/presentation). Modern AI-powered security solutions analyze the sender, links, and content in the email to accurately flag this email as an attack.

Status Bar Dots
ATT Email Impersonation Attack Email
Status Bar Dots
ATT Email Impersonation Attack Google Slides

The attacker used Google Slides to host a malicious link to a fake AT&T Mail login page.

Status Bar Dots
ATT Email Impersonation Attack Phishing Page

This fake login page is designed to steal login credentials.

How Does This Attack Bypass Email Defenses?

This email attack bypasses traditional security solutions for multiple reasons, including the following:

  • Lack of Attachments: The email does not contain any attachments, which are often a red flag for traditional email security tools. Instead, it contains a link, which can be harder for legacy systems to analyze for threats.
  • Unknown Sender: The email is from an unknown sender that the company has never sent emails to in the past. Legacy systems may not have the capability to track and analyze this kind of information.
  • Link to External Site: The email contains a link to an external site (Google Slides), which is used to disguise the malicious activity. Traditional email security tools may not be able to effectively analyze the content of external sites for threats.

How Did Abnormal Detect This Attack?

This attack was detected using AI and ML by analyzing various factors, including the following:

  • Sender Analysis: Abnormal uses sender analysis to identify suspicious activity. In this case, the email is from an unknown sender that the company has never sent emails to in the past, which is a strong signal of a potential threat.
  • Link Analysis: Abnormal can analyze the content of links in the email. The link in this email leads to a Google Docs page, which is a common tactic used in phishing attacks to disguise malicious activity.
  • Social Engineering Detection: The email uses social engineering techniques to create a sense of urgency and convince the recipient to take action. Abnormal is designed to detect these psychological tricks.

By recognizing established normal behavior and detecting these abnormal indicators, a modern email security solution has the ability to prevent this attack from reaching inboxes.

Please note the exact detection mechanism from Abnormal Security's system might include proprietary techniques and methodologies not disclosed here.

Analysis Overview




Credential Theft


Free Webmail Account
Masked Phishing Link


Account Update

Impersonated Party


See How Abnormal Stops Emerging Attacks

See a Demo