This credential phishing attack features an impersonation of a company’s internal system. An attacker first spoofs the sending domain “mxlx[.]com” and uses the sender name “Relay Tracking System” to make the message seem as if it’s an authentic communication from an internal IT administrator. The email states that messages in the target’s inbox have been restricted due to a server error. The target is instructed to click the “Recover messages” button to access the messages and resolve the issue. If the target clicks on the button, they’re taken to a landing page where they’re instructed to press and hold a button, ostensibly to verify their identity. Because this is an increasingly common form of authentication for legitimate security processes, it may not raise any red flags for the recipient. From there, the target is taken to a page that resembles the company’s official login screen but is actually a phishing page, and if they enter their credentials, they will likely be stolen.

Older, legacy email security tools struggle to accurately flag this email as an attack because it utilizes social engineering techniques, lacks malicious attachments, and comes from an unknown sender. Modern, AI-powered email security solutions analyze the links, content, and unknown sender to mark this email as an attack correctly.

Status Bar Dots
April 4 Screenshot 1
Status Bar Dots
April 4 Screenshot 2

This fake authentication step is designed to trick the target into believing the security checks are part of a real validation process.

Status Bar Dots
April 4 Screenshot 3

This spoofed login page resembles the target’s company page.

How Does This Attack Bypass Email Defenses?

This email attack bypasses traditional security solutions for multiple reasons, including the following:

  • Sophisticated Social Engineering: The attack employs advanced social engineering techniques, leveraging psychological manipulation rather than relying on technical vulnerabilities. This can be challenging for legacy tools to detect.
  • Lack of Malicious Attachments: Because the email does not include malicious attachments but instead uses a link and social engineering to prompt the recipient to perform an action (i.e., navigating to a phishing site independently), it may not trigger the detection mechanisms of legacy tools that primarily scan for these elements.
  • Unknown Sender: Attackers often use accounts that lack a negative history to evade reputation-based filters. Because the email is sent from an account that hasn't been previously flagged, legacy tools might not flag it as suspicious.

How Did Abnormal Detect This Attack?

This attack was detected using AI and ML by analyzing various factors, including the following:

  • Link Analysis: Unlike legacy tools, Abnormal performs deep inspection of links, analyzing the destination content and the context within the email, which helps identify disguised malicious links.
  • Content Analysis: Abnormal analyzes the language used and detects the presence of urgency cues, impersonation of services, and other psychological manipulation techniques in the email. This comprehensive analysis helps detect phishing attempts that rely on deception rather than traditional malicious payloads.
  • Unknown Sender Analysis: Abnormal analyzes the sender's behavior, including the fact that this is the first time they have sent an email to the target, and identifies this as a potential sign of a phishing attempt.

By recognizing established normal behavior and detecting these abnormal indicators, a modern email security solution has the ability to prevent this attack from reaching inboxes.

Please note the exact detection mechanism from Abnormal Security's system might include proprietary techniques and methodologies not disclosed here.

Analysis Overview




Credential Theft


Spoofed Display Name
Masked Phishing Link
Captcha-Protected Phishing Page


Secure Message

Impersonated Party

Internal System

See How Abnormal Stops Emerging Attacks

See a Demo