This email is a credential phishing attack purporting to be from the “Australian Taxation Office.” The email suggests a tax refund awaits and instructs the recipient to fill out a tax return form via a provided link that looks like an official Australian government link. The link likely directs the recipient to a landing page where their credentials are at risk. The email is written similarly to official communications and includes no obvious spelling errors. Additionally, the attacker employs mismatched reply-to addresses, with “” set up to receive any replies from the recipient, making this attack more sophisticated.

Legacy email security tools have difficulty identifying this as an attack because they can’t analyze the history of the sender’s domain, the email contains deceptive social engineering techniques, and the use of mismatched reply-to addresses. Today’s modern, AI-powered email security solutions analyze the reputation of the sender and the email content, plus run checks on mismatched reply-to addresses to correctly flag this as an attack.

Status Bar Dots
Aug11 Screenshot

How Does This Attack Bypass Email Defenses?

This email attack bypasses traditional security solutions for multiple reasons, including the following:

  • Unknown Sender: The email is from an unknown domain and email address that the company has never received messages from in the past. Legacy security tools may not be able to track and analyze the history of the sender's domain and email address.
  • Deceptive Content: The email content attempts to trick the recipient into believing they are eligible for a tax refund, encouraging them to click the provided link. This social engineering technique can often bypass legacy security tools that primarily focus on detecting malware or spam.
  • Mismatched Reply-To Address: The reply-to address differs from the sender's. This common tactic is used in phishing attacks to hide the attacker's true identity, which legacy security tools may not detect.

How Did Abnormal Detect This Attack?

This attack was detected using AI and ML by analyzing various factors, including the following:

  • Sender Reputation Analysis: Abnormal's system checks if the fully qualified domain name (FQDN) and the email used to send the message are known or unknown to the company. In this case, both were unknown, which is a strong sign that the message may be from a dangerous source.
  • Content Analysis: The AI analyzes the content of the email. In this case, the email attempted to deceive the recipient into believing they were eligible for a tax refund by using official-sounding language and creating a sense of urgency, a common tactic in phishing attacks.
  • Reply-To Address Check: Abnormal's system checks if the reply-to email address differs from the sender's. In this case, there was a mismatch, a common tactic used in phishing attacks to hide the attacker's true identity.

By recognizing established normal behavior and detecting these abnormal indicators, a modern email security solution has the ability to prevent this attack from reaching inboxes.

Please note the exact detection mechanism from Abnormal Security's system might include proprietary techniques and methodologies not disclosed here.

Analysis Overview




Credential Theft


Masked Phishing Link


Tax Matter

Impersonated Party

Government Agency

Impersonated Brands

Australian Taxation Office

AI Generated


See How Abnormal Stops Emerging Attacks

See a Demo