In this credential phishing attack, the threat actor compromises the email address of an attorney at a Mumbai-based law firm and emails the target regarding outstanding invoices. Because the message is sent from an established and trusted domain, it is immediately more difficult to identify it as a threat without advanced security tools. To create a sense of urgency, the subject line and body of the email reference unpaid invoices. The attacker informs the recipient that the firm’s accounts payable department uses OneDrive to share documents securely and includes a link that the target can purportedly use to view the invoices. Clicking on the link redirects the target to a fake SharePoint landing page with a prompt containing another button labeled “CLICK HERE TO ACCESS FILE”. If the recipient clicks on the second button, they are taken to a credential phishing page where any sensitive information entered will be stolen by the attacker.

Older, legacy email security tools struggle to accurately identify this email as an attack because it uses a legitimate email address and sending domain, employs social engineering tactics, and lacks malicious attachments. Modern, AI-powered email security solutions analyze the content, unknown sender, and links to properly flag this email as an attack.

Status Bar Dots
AI Compromised Attorney Account Fake Share Point Phishing Page Email E
Status Bar Dots
AI Compromised Attorney Account Fake Share Point Phishing Page

The attacker creates a spoofed SharePoint landing page that links to a credential phishing website.

How Does This Attack Bypass Email Defenses?

This email attack bypasses traditional security solutions for multiple reasons, including the following:

  • Legitimate-Looking Email Address and Sender Identity: The use of an email address that appears to be from a legitimate source can easily bypass legacy security tools that rely on simple blacklist-based or domain reputation-based filtering and might not flag the email as suspicious.
  • Social Engineering Tactics: The email's content, including urgency and impersonation of trusted entities, exploits human psychology. Legacy tools might not be equipped to assess the psychological manipulation inherent in the content.
  • Lack of Malicious Attachments: Since the email does not contain traditional malicious attachments (e.g., executable files or documents with macros), it can easily bypass security tools that scan attachments for known malicious signatures. The attack instead uses a deceptive link, which might not be flagged by systems that primarily focus on attachment-based threats.

How Did Abnormal Detect This Attack?

This attack was detected using AI and ML by analyzing various factors, including the following:

  • Content Analysis: Abnormal analyzes the language used and detects the presence of urgency cues and other psychological manipulation techniques in the email. This comprehensive analysis helps detect phishing attempts that rely on deception rather than traditional malicious payloads.
  • Unknown Sender Analysis: Abnormal analyzes the sender's behavior, including the fact that this is the first time they have sent an email to the target, and identifies this as a potential sign of a phishing attempt.
  • Link Analysis: Abnormal analyzes the links included in the attachment. While the link may not already be flagged as dangerous in a database, Abnormal detects other potentially malicious elements.

By recognizing established normal behavior and detecting these abnormal indicators, a modern email security solution has the ability to prevent this attack from reaching inboxes.

Please note the exact detection mechanism from Abnormal Security's system might include proprietary techniques and methodologies not disclosed here.

Analysis Overview




Credential Theft


External Compromised Account
Masked Phishing Link


Fake Invoice

Impersonated Party

External Party - Vendor/Supplier

See How Abnormal Stops Emerging Attacks

See a Demo