This attack features an attempt to redirect a large invoice using a lookalike domain. To begin, the attacker compromises a vendor account, then uncovers an existing email thread that discusses payment of a $621,000 invoice. The attacker then creates a lookalike domain and copies/pastes the original legitimate thread into a new, malicious thread. To add further legitimacy, the attacker uses the real invoice detailing the large payment from the original thread and attaches it to the new thread in an effort to pose as the vendor they are spoofing. 

Since the attachment in the attacker’s newly created malicious thread is the real invoice, legacy email security tools have trouble flagging this as an attack. Additionally, limited AI-based analysis makes multi-layered attacks like this one difficult to flag.

Status Bar Dots
621k invoice

How Does This Attack Bypass Email Defenses?

This email attack bypasses traditional security solutions for multiple reasons, including the following:

  • Attachments with no suspicious extensions: The email includes attachments in .png and .pdf format. Legacy tools often focus on executable, macro-enabled, or compressed files, potentially missing the threat posed by these image files.
  • Ineffective against multilayered attacks: Legacy email tools struggle with multilayered attacks that combine various tactics and techniques.
  • Limited AI-based analysis: Traditional email security tools lack advanced AI-based analysis capabilities that could help detect phishing emails, such as natural language processing, domain reputation analysis, and sender behavioral analysis.

How Does Abnormal Detect This Attack?

This attack was detected using AI and ML by analyzing various factors, including the following:

  • Entity relationship analysis: Studying the historical communication patterns and relationships between the email sender and recipient allows for identifying deviations from the norm. In this case, the recipient had never received an email from this address before. 
  • In-depth attachment analysis: By thoroughly examining attachments for potential threats, advanced tools use next-generation image recognition and OCR techniques to uncover illegitimate attachments.
  • Sender discrepancies: There are inconsistencies in the sender's email address and domain compared to the claimed company.

By recognizing established normal behavior and detecting these abnormal indicators, Abnormal has the ability to prevent this attack from reaching inboxes.

Please note the exact detection mechanism from Abnormal Security's system might include proprietary techniques and methodologies not disclosed here.

Analysis Overview




Payment Fraud


Look-alike Domain


Payment Inquiry

Impersonated Party

External Party - Vendor/Supplier

See How Abnormal Stops Emerging Attacks

See a Demo