This multifaceted credential phishing attack begins with a threat actor compromising the email address of an employee from pro-manchester, a UK-based business development organization. Using the legitimate email address “rachel.tetlow@pro-manchester[.]co[.]uk” the attacker sends a short note about reports for pending development projects and directs the target to click a link to view them. The link leads to a “monograph.notesnook[.]com” landing page, where another link to the purported PDFs is provided. This second link leads to a fake Microsoft landing login page, which the threat actor hopes will trick the target into entering login credentials and other sensitive information that can be stolen and used for nefarious purposes.

Older, legacy security tools have difficulty properly identifying this email as an attack because it was sent from a legitimate email address, contains links in the body of the email not known to be malicious, and has no malicious attachments. Modern AI-powered security solutions analyze the content, links, and recipients in the email to accurately flag this email as an attack.

Status Bar Dots
Pro Manchester Attack Library 1 E
Status Bar Dots
Pro Manchester Attack Library 2

The attacker used Monograph to host a malicious link to a fake Microsoft login page.

Status Bar Dots
Pro Manchester Attack Library 3

This fake login page is designed to steal login credentials.

How Does This Attack Bypass Email Defenses?

This email attack bypasses traditional security solutions for multiple reasons, including the following:

  • Legitimate Email Address: The email is sent from "rachel.tetlow@pro-manchester[.]co[.]uk", which is a legitimate email address. Legacy security tools might not flag this email as suspicious because the email address doesn't exhibit typical signs of a phishing email, such as a misspelled domain name or a free email service provider.
  • Lack of Known Malicious Links: Legacy security tools might not be able to effectively analyze these links for potential threats, especially if the linked websites are not on their list of known malicious sites.
  • Lack of Malicious Attachments: The email does not contain any malicious attachments, which are a common red flag for email security systems.

How Did Abnormal Detect This Attack?

This attack was detected using AI and ML by analyzing various factors, including the following:

  • Recipient Analysis: Abnormal analyzes the recipients of emails and because high-ranking officials are often targets of spear-phishing attacks (as is the case here), this message is flagged.
  • Link Analysis: Abnormal analyzes all included links for potential threats, even if the linked websites are not on a list of known malicious sites. 
  • Content Analysis: Abnormal analyzes the text of the email for signs of phishing or social engineering. The language used in the email is designed to entice targets to take action, a signal of a malicious email.

By recognizing established normal behavior and detecting these abnormal indicators, a modern email security solution has the ability to prevent this attack from reaching inboxes.

Please note the exact detection mechanism from Abnormal Security's system might include proprietary techniques and methodologies not disclosed here.

Analysis Overview




Credential Theft


Fake Document

Impersonated Party

External Party - Vendor/Supplier

See How Abnormal Stops Emerging Attacks

See a Demo