In this credential phishing attack, the threat actor leverages a compromised external vendor account to send a fraudulent e-signature request. After compromising a legitimate email account, the attacker sends the target a fake Docusign notification using a phishing template likely procured from a dark web marketplace. If the target clicks the “REVIEW DOCUMENT” button in the email to view the purported document, they are redirected to a page hosted on Google Sites, a legitimate web page creation tool. The Google Sites page acts as a malicious stepping stone and contains a second button labeled "PRESS HERE TO VIEW/DOWNLOAD DOCUMENT," which is connected to the attacker’s phishing page. Should the target click this button, they will be redirected to a malicious page where any sensitive information, including login credentials, will be stolen if they are entered.

 Older, legacy email security tools struggle to accurately flag this email as an attack because it contains no malicious attachments, uses legitimate hosting services, and manipulates the target with social engineering. Modern, AI-powered email security tools analyze the links, evaluate the content, and detect the lack of recipient information to correctly mark this email as an attack.

Status Bar Dots
March 29th Screenshot

How Does This Attack Bypass Email Defenses?

This email attack bypasses traditional security solutions for multiple reasons, including the following:

  • No Malicious Attachments: The email does not contain any attachments, which are often a focus of legacy security tools. Instead, it includes a link to a Google Sites page, which acts as an intermediary to the phishing page.
  • Legitimate Links: The link in the email is a file hosted on Google Sites, a legitimate and commonly used service. This can make it harder for security tools to identify the links as potentially malicious. 
  • Social Engineering: The email uses social engineering techniques to trick the recipient into clicking the links. These tactics are often difficult for legacy tools to detect as they require an ability to understand context and intent.

How Did Abnormal Detect This Attack?

This attack was detected using AI and ML by analyzing various factors, including the following:

  • Link Analysis: While the email includes a link to a Google Sites page, a legitimate online solution. Abnormal analyzes the content of the linked site to detect potential threats. In this case, it detected the Google Sites page was linked to malicious content.
  • Content Analysis: Abnormal analyzes the content of the email for signs of phishing or other malicious tactics. In this case, the email uses social engineering tactics, such as urgency, to trick the recipient into clicking the link. 
  • Lack of Recipient Information: The email does not contain any email addresses in the “To” field. Instead, it shows “undisclosed” recipients. This is unusual and can be a sign of a mass phishing attack, which Abnormal's AI can detect.

By recognizing established normal behavior and detecting these abnormal indicators, a modern email security solution has the ability to prevent this attack from reaching inboxes.

Please note the exact detection mechanism from Abnormal Security's system might include proprietary techniques and methodologies not disclosed here.

Analysis Overview




Credential Theft


External Compromised Account
Masked Phishing Link


Fake Document

Impersonated Party

External Party - Vendor/Supplier

See How Abnormal Stops Emerging Attacks

See a Demo