This credential phishing attack features a compromised account and an exploitation of Adobe Acrobat and Acrobat Sign. First, the attacker breaks into the email account of an employee from Vanguard Cleaning Systems and compromises “mtorrez@vanguard365[.]com.” Then, using Adobe Acrobat, they create a PDF designed to look like an Acrobat Sign prompt to view an invoice. The attacker then sends the file via Adobe Document Cloud. If the recipient clicks on the “View Document” button in the PDF, they will be taken to a credential phishing website where sensitive information is at risk of being exposed or stolen. Since Adobe cannot independently verify that the attacker gained unauthorized access to the Vanguard employee’s email account, the attack reaches the recipient’s inbox in the form of an automated message from Adobe.

Older, legacy email security tools struggle to properly identify this email as an attack because of the sender’s reputation, the lack of attachments, and advanced social engineering techniques. Modern, AI-powered email security solutions use advanced behavioral analysis in addition to analyzing the sender and links to accurately flag this email as an attack.

Status Bar Dots
Nov3 Screenshot
Status Bar Dots
Nov3 Screenshot 2

The attacker created a fake PDF that includes a masked phishing link in the “View Document” button.

How Does This Attack Bypass Email Defenses?

This email attack bypasses traditional security solutions for multiple reasons, including the following:

  • Sender Reputation: The email is sent from a legitimate domain, “adobe[.]com,” which is likely to be trusted by legacy email security tools.
  • Lack of Attachments: The email does not contain any attachments, which is often a red flag for legacy security tools as they can have malicious files or scripts.
  • Social Engineering: The email uses social engineering techniques to trick the recipient into clicking the links. These tactics are often difficult for legacy tools to detect as they require an ability to understand context and intent.

How Did Abnormal Detect This Attack?

This attack was detected using AI and ML by analyzing various factors, including the following:

  • Sender Analysis: Abnormal analyzes the sender details and identifies that the email was sent from a compromised Vanguard employee's account and was exploiting Adobe's legitimate platform—a common tactic used in phishing attacks.
  • Behavioral Analysis: Abnormal uses behavioral analysis to identify unusual patterns. The email's subject and content about an “invoice payment” is a common phishing tactic used to create a sense of urgency and trick the recipient into clicking on the malicious link.
  • Link Analysis: Abnormal analyzes the links in the email and flags them as potentially malicious, leading to websites commonly used for phishing attacks.

By recognizing established normal behavior and detecting these abnormal indicators, a modern email security solution has the ability to prevent this attack from reaching inboxes.

Please note the exact detection mechanism from Abnormal Security's system might include proprietary techniques and methodologies not disclosed here.

Analysis Overview




Credential Theft


External Compromised Account
Masked Phishing Link


Fake Invoice

Impersonated Party

External Party - Vendor/Supplier

See How Abnormal Stops Emerging Attacks

See a Demo