In this hybrid vendor email compromise and credential phishing attack, the threat actor uses the compromised email account of a business coordinator at an Australian manufacturing company to send the target a notification from Confluence. The notification purportedly regards documents related to ongoing business between the impersonated vendor and the target’s company and includes an invitation for the target to review said documents. However, if the target clicks the link to view the shared PDF, they will be taken to a fake Microsoft login page where the attacker will steal any information entered.

Older, legacy email security tools struggle to accurately identify this email as an attack because it leverages authentic platforms, lacks malicious attachments, and uses social engineering techniques. Modern, AI-powered email security tools analyze the links and their full redirection paths, as well as the message content and context, to correctly mark this email as an attack. 

Status Bar Dots
March 22nd Screenshot 1
Status Bar Dots
March 22nd Screenshot 2

The authentic Confluence page links to a spoofed Microsoft-branded login page.

How Does This Attack Bypass Email Defenses?

This email attack bypasses traditional security solutions for multiple reasons, including the following:

  • Use of Legitimate Platforms: The attack leverages a legitimate Confluence page to host the phishing link, exploiting the trust in reputable platforms to evade URL reputation-based filtering commonly used by legacy security tools.
  • Lack of Malicious Attachments: The email itself does not contain malicious attachments, which are common indicators for legacy security tools. Instead, the phishing link is presented on an external page, making it harder for these tools to detect the threat.
  • Sophisticated Social Engineering: The attack uses social engineering tactics, such as the promise of accessing "Vital Documents," to create a sense of urgency and legitimacy. Legacy tools may not detect these psychological manipulations as indicators of phishing.

How Did Abnormal Detect This Attack?

This attack was detected using AI and ML by analyzing various factors, including the following:

  • Link and Redirection Tracking: Abnormal follows links and their redirection paths to identify malicious behavior, such as the redirection from a Confluence page to a fake login page, which might not be immediately apparent.
  • Unknown Sender Analysis: Abnormal analyzes the sender's behavior, including the fact that this is the first time they have sent an email to the recipient, and identifies this as a potential sign of a phishing attempt.
  • Content Analysis: With sophisticated natural language processing and machine learning models, Abnormal analyzes the context and intent behind emails. This allows it to identify suspicious requests, such as asking a recipient to review documents unexpectedly.

By recognizing established normal behavior and detecting these abnormal indicators, a modern email security solution has the ability to prevent this attack from reaching inboxes.

Please note the exact detection mechanism from Abnormal Security's system might include proprietary techniques and methodologies not disclosed here.

Analysis Overview




Credential Theft


Fake Attachment
External Compromised Account
Masked Phishing Link


Fake Document

Impersonated Party

External Party - Vendor/Supplier

See How Abnormal Stops Emerging Attacks

See a Demo