In this credential phishing attack, the threat actor impersonates Bank of America and uses Google Drive to send a PDF with an embedded malicious link. The attacker titles the PDF "Validate Your Web account Right away! Unrecognized Access Noticed![.]pdf" to convince the target that unauthorized access to their account has been detected and create a sense of urgency. Contained within the PDF is a link to a credential phishing website where sensitive information is at risk if the recipient engages. To increase the appearance of legitimacy, the threat actor includes a standard verification check in the PDF that many online services use to check for bots. Finally, the attacker uses an email address, "quihisditi2001@security.bankofamerica-com-secure[.]eu," and display name "Bank of America alert" for their Google Drive account to spoof official Bank of America communications. Because the attacker uses Google Drive to send this malicious PDF, a recipient might mistake it for official communications and click the phishing link. 

Older, legacy security tools have difficulty appropriately flagging this email as an attack because of the legitimate sending domain, the lack of malicious attachments, and the spoofed reply-to address. Modern, AI-powered security solutions identify the reply-to address mismatch, the suspicious links, and the use of social engineering techniques to flag this email as an attack correctly.

Status Bar Dots
Oct9 Screenshot
Status Bar Dots
Oct9 Screenshot 2

The attached PDF has an embedded phishing link.

How Does This Attack Bypass Email Defenses?

This email attack bypasses traditional security solutions for multiple reasons, including the following:

  • Legitimate Sender Domain: The email is sent from a legitimate Google domain, “drive-shares-dm-noreply@google[.]com,” which can bypass security checks that focus on the sender's domain reputation.
  • No Malicious Attachments: The email does not contain any attachments, often a focus of legacy security tools. Instead, it includes a link to a Google Drive file, which can be more challenging for these tools to analyze.
  • Spoofed Reply-To Address: The reply-to address differs from the sender's and is designed to look like a secure Bank of America email. This can trick users into thinking the email is legitimate and may not be caught by legacy systems focusing on the sender's address.

How Did Abnormal Detect This Attack?

This attack was detected using AI and ML by analyzing various factors, including the following:

  • Reply-To Address Mismatch: Abnormal’s AI detects that the reply-to address differs from the sender's. This is a common tactic used in phishing attacks to trick recipients into responding to the attacker.
  • Social Engineering: The email's subject and the body text's content create a sense of urgency. The subject "Validate Your Web account Right away! Unrecognized Access Noticed!" is designed to alarm the recipient and prompt immediate action. This is a common social engineering tactic used in phishing attacks.
  • Suspicious Link: The email includes a link to a Google Drive file. Abnormal's AI analyzes the content of linked files to detect potential threats.

By recognizing established normal behavior and detecting these abnormal indicators, a modern email security solution has the ability to prevent this attack from reaching inboxes.

Please note the exact detection mechanism from Abnormal Security's system might include proprietary techniques and methodologies not disclosed here.

Analysis Overview




Credential Theft


Masked Phishing Link


Suspicious Account Activity

Impersonated Party


Impersonated Brands

Bank of America

See How Abnormal Stops Emerging Attacks

See a Demo