Search the repository of unique attacks observed by the Abnormal Intelligence team.
Attacker Compromises Vendor Account and Uses Confluence Page to Attempt Credential Theft

A threat actor masks a phishing link to a fake Microsoft login page in a Confluence notification sent from a compromised vendor account.

Threat Actor Poses as Vendor and Sends Fake QuickBooks Notification to Attempt Credential Theft

A threat actor fabricates a QuickBooks notification and sends a target a phishing link, purportedly to a password-protected overdue invoice.

Threat Actor Compromises Account of Construction Project Manager and Uses Content-Sharing Platform to Send Fake RFP

An attacker attempts to trick a target into revealing sensitive information by using a compromised email account and a legitimate content-sharing platform.

Attacker Impersonates Company Admin in Clever Credential Phishing Attempt 

A threat actor uses a fake message delivery failure notification and fabricated authentication processes to try to convince a target to reveal sensitive information.

Credential Phisher Uses Legitimate Email Marketing Platform to Send Fake Voicemail Alert

After compromising a Constant Contact account, the attacker impersonates a law firm and sends a fake voicemail notification to attempt credential theft.

Threat Actor Poses as Microsoft and Leverages Open Redirect in Clever Credential Phishing Attack

After registering a legitimate Microsoft-based email account, an attacker sends a fake Microsoft voicemail notification to deceive a target into entering sensitive information.

Attacker Uses Compromised Email to Send Fake Microsoft OneDrive Notification in Credential Phishing Attack

A threat actor exploits the reputation of an established domain to send an email with an embedded image of a fabricated file-sharing notification linked to a phishing page.

Microsoft Impersonator Uses Malicious QR Code in Credential Phishing Attack

An attacker emails a fake password expiration notification with a malicious QR code linked to a phishing site.

PayPal Impersonator Uses Spoofed Email Hosted on Legitimate Domain to Attempt Credential Theft

An attacker mimics PayPal branding and uses an Outlook address with a spoofed sender name to compel a target to click a malicious link.

Vendor Impersonation Attack Utilizes Salesforce Link in Attempt to Steal Sensitive Information

After compromising a vendor’s domain, an attacker attempts to compel a target to click a phishing link disguised as a shared document.

Microsoft Impersonator Spoofs Voicemail Service and Uses QR Code in Attempted Credential Theft

By crafting an email that resembles a voicemail notification from Microsoft, an attacker hopes the target will scan a malicious QR code that leads to a credential phishing website.

Adobe Acrobat Sign Impersonator Sends Fake Document Notification Linked to Branded Office 365 Phishing Page

An attacker attempts to steal sensitive information using a fraudulent electronic signature request for a nonexistent NDA.

Attacker Uses Spoofed Domain to Send Fake Voicemail Notification Linked to Phishing Page

An attacker mimics a voice messaging service to lure a target to enter login credentials on a counterfeit landing page.

Threat Actor Sends Fake DocuSign Notification of Payroll and Benefits Update in QR Code Phishing Attack

An attacker attempts credential theft via a PDF attachment with DocuSign branding containing a QR code linked to a phishing site impersonating a Microsoft login page.

IRS Impersonator Sends Fake eFax Notification Regarding Tax Documents to Attempt Credential Theft

An attacker capitalizes on the inherent urgency of tax season and attempts to trick a target into clicking a malicious JPG to view purported tax documents.

Capital One Impersonator Creates Authentic-Looking Landing Page in Credential Phishing Attempt

Using a legitimate sending domain as a mask and a spoofed display name, an attacker pretends to be from Capital One’s customer service team to steal login credentials.

Vendor Impersonator Uses Cleverly-Designed Fake Microsoft Excel Spreadsheet to Attempt Credential Theft

After spoofing a legitimate domain, an attacker uses a fake password-protected financial document to steal sensitive information.

Threat Actor Impersonates Santander Consumer Bank in Credential Phishing Attack

An attacker poses as a bank representative and creates a sense of urgency regarding the target’s credit card to compel them to click an embedded phishing link.

PayPal Impersonator Uses Social Engineering and Masked Phishing Link to Attempt Credential Theft

A phisher uses a spoofed domain to send a malicious email that incorporates PayPal's branding and creates a sense of urgency around potential account closure.

Vendor Impersonator Uses Fake Invoice Notification In Credential Theft Attempt

By compromising a legitimate domain, an attacker hopes to entice the target to a credential phishing website where sensitive information like payment details can be stolen.

Phisher Impersonates Amazon and Reports Issue with Prime Membership to Prompt Target to Share Sensitive Information

Threat actor attempts to fraudulently obtain credentials and/or payment details using Amazon-branded PDF containing an embedded phishing link.

DHL Impersonator Spoofs Legitimate Domain to Send Fake Failed Shipment Notification in Phishing Attack

An attacker attempts to steal sensitive information by encouraging the recipient to use a masked phishing link to update their shipping address for a pending delivery.

Threat Actor Spoofs Legitimate Domain in Dual Credential Phishing Attack and Fake Billing Scam

An attacker attempts to steal login credentials and also reroute payments by sharing a fraudulent invoice behind a fake Adobe Acrobat login screen.

HR Impersonator Provides Fake Payroll Update in Credential Theft Attempt

By creating a sense of urgency and using official-sounding language, an attacker attempts to compel the target to click a phishing link purportedly related to payroll updates.

NDM Hospitality Impersonator Hijacks Email Thread in Convincing Credential Phishing Attack

An attacker compromises a vendor account and sends the target a fake Microsoft SharePoint link purportedly to a time-sensitive service agreement.

University HR Admin Impersonator Uses QR Code and Fake Microsoft Login Page in Credential Theft Attempt

Using official-sounding language, university branding, and a believable premise, an attacker attempts to steal sensitive information.

Attacker Compromises Legitimate Account and Embeds Phishing Link in Fake QuickBooks Payment Notification

Using a compromised email address, the threat actor sends a purposefully vague payment confirmation with an embedded phishing link.

Threat Actor Exploits Dynamics 365 Customer Voice in Phishing Attack Targeting Executive at Global Insurance Distributor

An attacker compromises an external account and embeds a phishing link in a Microsoft survey tool disguised as a document-sharing notification.

OpenSea Impersonator Creates Fake Landing Page in Sophisticated Credential Phishing Attack

After compromising a known domain, the attacker creates a fake landing page that mimics OpenSea’s official website and leverages social engineering to create a sense of urgency and persuade the target to take action.

Cleverly Designed Credential Phishing Attempt Impersonates Microsoft and Utilizes Authentic-Looking Fake Landing Page

Using a real domain as a mask, an attacker sends an image attachment with a QR code to entice the target to follow the link to reauthenticate MFA on a fake landing page.

Credential Phisher Utilizes Look-alike Domain and Fake Microsoft SharePoint Landing Page to Steal Sensitive Information

An attacker gets engagement from the target after discussing an RFQ and uses Microsoft survey forms to create a spoofed SharePoint link to appear legitimate.

Attacker Exploits Trusted Brands and Impersonates Financial Services Provider to Attempt Credential Phishing

In this credential phishing attack, the threat actor sends a fake invoice payment confirmation with a phishing link obscured using a URL shortener.

AT&T Mail Impersonator Uses Google Slides to Mask Link to Phishing Site Disguised as Login Page

A threat actor sends an account expiration notification with a link to a Google Slides presentation containing an embedded phishing link.

Attacker Compromises Account to Send Malicious Link to Fake Microsoft Login Page Designed to Steal Sensitive Information

After compromising a pro-manchester email account, a threat actor uses Monograph to host a malicious link that sends the target to a fake Microsoft login page.

Canada Post Impersonator Uses Japanese Domain in Credential Theft Attempt

A threat actor spoofs a Japanese domain and impersonates Canada Post to prompt targets to click on a credential phishing link.

Attacker Compromises New Jersey Department of Health Email Account and Sends Fake Document with Masked Phishing Link

After compromising the account, an attacker creates a fake document purporting to be a faxed invoice that includes a masked phishing link.

Chase Bank Impersonator Utilizes Google Drive to Send Masked Phishing Link Embedded in PDF Attachment

By creating a sense of urgency around unauthorized account activity and using a display name that includes "Chase Bank," the attacker aims to compel the recipient to take action.

PayPal Impersonator Uses PandaDoc to Send Fake Document in Credential Theft Attempt

An attacker claims to be from PayPal investigating a fraudulent transaction and requests sensitive information from the target to complete a verification process.

Trust Wallet Impersonator Combines Email Spoofing and Social Engineering in Credential Phishing Attack

An attacker attempts credential theft by impersonating Trust Wallet and sending a phishing link disguised as an account verification page.

Multi-Layer Instagram Impersonator Creates Several Fake Landing Pages in Sophisticated Credential Phishing Attempt

An attacker informs the target about copyright infringement and provides a fake form and login page to steal login credentials.

HR Impersonator Spoofs Healthcare Advisory Company to Attempt Credential Theft

Using a “two-bridge[.]com” domain as a mask, an attacker sends a credential phishing email disguised as an HR department update regarding approval of a new company handbook.

UPS Impersonator Uses Compromised Account in Credential Phishing Attempt

After compromising a legitimate domain, an attacker impersonates UPS and asks the recipient to verify shipping information via a phishing link.

Attacker Uses Adobe Acrobat’s File Sharing System in Cleverly Designed Credential Theft Attempt

After compromising the email account of a Vanguard Cleaning Systems employee, an attacker creates a legitimate-looking PDF with a masked phishing link to steal credentials.

MetaMask Impersonator Disguises Credential Phishing Attack as Know Your Customer (KYC) Verification

Using a legitimate Turkish domain, an attacker attempts credential theft by applying social engineering to convince a target their cryptocurrency wallet is at risk of suspension.

Amazon Customer Service Impersonator Uses Masked Phishing Link in Credential Phishing Attack

An attacker pretends to be from Amazon customer service and informs the recipient that their account is locked because of suspicious account activity.

Chatham Financial Impersonator Utilizes Masked Phishing Link in Fake Billing Scam

After compromising a domain, an attacker creates a fake Microsoft SharePoint attachment viewer in an attempt to steal money and sensitive information.

Sophisticated Credential Theft Attempt Features a Compromised Domain and Fake Landing Page

After compromising a legitimate domain, an attacker creates a fake landing page and impersonates an internal IT admin to attempt credential theft.

Multi-Layered Credential Phishing Attempt Features a Compromised Domain and a Masked Phishing Link

After compromising a Titan Worldwide domain, an attacker pastes previous conversations and a masked phishing link into an email in an attempt to steal sensitive information.

Likely AI-Generated Credential Phishing Attack Features Impersonation of Medicare Australia

An attacker pretends to be from Medicare Australia and informs the recipient that their Medicare services have been suspended due to insufficient contact information.

National Health Service Spoofer Compromises Domain and Sends Masked Phishing Link in PNG Attachment

An attacker uses a legitimate NHS domain and Microsoft SharePoint to trick a recipient into clicking on a masked phishing link and exposing sensitive information.

Bank of America Impersonator Utilizes Google Drive to Send Masked Phishing Link Embedded in PDF Attachment

By creating a sense of urgency around unauthorized account access and using a sending domain that includes "Bank of America," the attacker aims to compel the recipient to take action.

Attacker Utilizes DocuSign to Send Masked Phishing Link Embedded in a PNG Attachment

By using a legitimate document-sending service, the attacker is counting on the recipient to engage with the attachment and expose sensitive information.

U.S. Department of Agriculture Impersonator Attempts Credential Theft Via QR Code in PDF Attachment

An attacker attempts credential theft by spoofing the USDA with an official-sounding message and a PDF attachment containing a QR code that leads to a phishing site.

Spotify Spoofer Attempts Credential Theft with Fake Login Page

An attacker pretends to be from Spotify’s customer support, inquiring about updating payment details, and creates a legitimate-looking fake Spotify login page where sensitive information can be stolen.

Clever Credential Phishing Attempt Features Fake Microsoft Office 365 Password Change Link

An attacker embeds a malicious link into an image file that looks like a Microsoft Office 365 password change alert and includes official-sounding written disclosures to increase credibility.

Credential Phisher Impersonates Internal Company Admin to Steal Sensitive Information

Using a real domain from the company as a mask, an attacker informs the recipient of blocked emails and provides links to help resolve the issue.

Coinbase Impersonator Attempts Credential Theft by Claiming Account Restriction

Hiding the actual sending domain behind a display name of "Coinbase," an attacker spoofs Coinbase's customer support to steal sensitive information.

Robinhood Impersonator Attempts Credential Theft With Fake Withdrawal Notification

By leveraging a domain similar to official Robinhood communications, an attacker attempts to steal sensitive information by creating a sense of urgency.

Sophisticated Attacker Impersonates a Company Admin and Utilizes Microsoft-Branded QR Code in Attempted Credential Phishing

An attacker creates a fake Microsoft-branded QR code and landing page to compel the recipient to enter sensitive information.

Vacation Planner Impersonator Attempts Credential Phishing with Compromised Account

An attacker gains control of a vacation resort’s customer service email address and attempts to steal sensitive information after informing the recipient of a refund.

Apple Impersonator Creates Fake Landing Page in Credential Phishing Attempt

An attacker cleverly designs a fake landing page that mimics Apple’s legitimate website to entice the recipient to input sensitive information.

TSB Bank Impersonator Uses Look-alike Domain in Likely AI-Generated Credential Phishing Attack

An attacker utilizes an unregistered look-alike domain as a mask to impersonate TSB Bank and steal sensitive information.

Netflix Impersonator Likely Utilizes Generative AI in Credential Phishing Attack

An attacker takes control of a legitimate domain to impersonate Netflix customer support in a credential theft attempt.

Attacker Takes Over Established Domain in Likely AI-Generated Credential Phishing

An attacker breaks into an 21-year-old email account and links to a malicious IPFS gateway to steal sensitive information.

Amazon Spoofer Attempts Credential Phishing with Look-alike Domain

Using friendly language and a hidden malicious link, an attacker impersonates Amazon to steal sensitive information.

Sophisticated USPS Impersonator Attempts Credential Theft in Multi-Layered Attack

An attacker likely uses generative AI to create a fake automated USPS message about incorrect address information, including links to a fake USPS landing page.

Investment Opportunity Spoofer Offers Financial Services in Likely AI-Generated Scam

An attacker offers business financing options and promises commission for all successful referrals using a spoofed address.

Freight Company Impersonated in Likely AI-Generated Credential Theft Attempt

An attacker utilizes a close resemblance freight company DAT One's domain in a credential theft attempt.

Australian Government Spoofer Promises Tax Refund in Likely AI-Generated Credential Theft

An attacker pretends to be from the “Australian Taxation Office” to steal the victim’s login credentials by promising a tax refund.

Debt Collector Spoofer Attempts Credential Theft

An AI-generated attack impersonates a debt collector and creates a sense of urgency to attempt to steal personal information.

Likely AI-Generated Attack Attempts Credential Phishing

An attacker uses a generative AI tool to spoof an insurance company, hoping to steal login credentials.

AI-Generated Credential Theft Attempted via Internal Company Impersonation

By leveraging urgency, an attacker sends an internal company communication in an attempt to steal credentials.

Kraken Exchange Spoofer Attempts to Steal Login Information

An attacker impersonates a popular cryptocurrency exchange and creates a fake website to steal login credentials.

Attacker Impersonates Apple to Request Billing Details

Using a cleverly disguised no-reply domain, an attacker poses as Apple customer support in an attempt to get billing details and other sensitive information.

Ivy League Health Director Compromised in Monkeypox Scare Spoof

By leveraging a recent public health crisis and targeting universities, the attacker hopes to elicit immediate action and steal email credentials.

Attempted Payment Fraud Using Lookalike Domain and Real Invoices Targets Manufacturing Company

Attackers pose as existing vendors and use lookalike domain and real invoices in attempt to fraudulently update payment information.

Phishing Attack Disguised as Notification Informing VP Storage Capacity Limit Exceeded

Attackers disguise phishing email to VP at financial institution as notification that full storage capacity has been reached and emails will no longer be delivered.

Fake Email Account Deactivation Notice with Phishing Link Targeting Online Retailer

Attackers pose as the internal support team at an online retailer and claim the recipient's email account has been queued for deactivation in an attempt to steal credentials or install malware.

Brand Impersonation Phishing Attack Targets VIP Using Fake Zoom Meeting Invite

This phishing attack leverages brand impersonation in an attempt to trick a VIP into clicking on a phishing link disguised as a Zoom meeting invite.

Phishing Attack Impersonates Real Estate Agent Sending Fake Document Notification to Lawyer

This phishing attack impersonated a real estate agent using dotloop, a real estate transaction management software, to trick the recipient into visiting a phishing website.

Credential Phishing Attack Poses as a Secure Message Shared by the IRS

This link-based attack impersonated the IRS using the pretext of sharing a secure ShareFile message that led to a phishing site designed to steal email credentials.

Phishing Attack Impersonating FedEx Steal Personal and Financial Data Using Captcha Protection and MFA Bypass

This phishing attack impersonated FedEx using a fake shipping notification pretext to direct a recipient to a captcha-protected phishing page created to steal personal and financial information using MFA bypass tactics.

Phishing Attack Uses Pretext of Shared Tax Documents to Steal Employee Credentials

This link-based attack incorporated a fake file attachment posing as shared tax documents that led to a phishing page meant to steal email credentials across multiple email providers.

Email Poses as an Incoming ACH Payment with HTML Attachment Leading to Branded Credential Phishing Page

This payload-based attack posed as a fake incoming ACH payment masked as an automated email from an internal company system, which contained an HTML attachment that led to a branded phishing page intended to steal the recipient’s credentials.

Phishing Attack Steals Credentials by Imitating HR Request to Review New Employee Handbook

This link-based attack imitated a company human resources email that announced the release of a new employee handbook, which included a link to a phishing page meant to steal an employee’s name and email credentials.

Payload Credential Phishing Attack Poses as an HR Announcement About New Employee Benefits

This payload-based phishing attack posed as an announcement from the company human resources team about updates to the company’s employee benefits package and requested the recipient review a supposed updated handbook, which actually opened a phishing page to steal account credentials.

Response-based Phishing Attack Impersonates CFO to Compromise Australian myGov Credentials

This attack impersonated a company CFO using a pretext of employee rewards and recognition to solicit a response leading to a request for Australian myGov credentials.

Credential Phishing Attack Poses as an Automated Aging Report Notification

This payload-based attack posed as an aging report being shared by an automated internal system that contained an HTML attachment leading to a credential phishing page.

Multi-Stage Credential Phishing Attack Uses Office365-themed PDF Attachment and Legitimate Adobe Hosting Infrastructure

This payload-based attack contained a Office365-themed PDF attachment with an embedded link to a legitimate Adobe page, which included another link to a final credential phishing page.

Credential Phishing Attack Poses as a Security Update to Enable End-to-End Encryption

This link-based credential phishing attack disguised itself as a security update to add end-to-end encryption on all employee devices.

Attack Impersonating Compromised Third-Party to Share Document Leads to OneDrive Phishing Page

This link-based attack exploited the compromised account of an external third-party to make it appear that a vendor was sharing a link to a document about new dues, when the link actually led to a OneDrive phishing page to steal credentials.

Credential Phishing Attack Masquerades as an Employee Training Invoice

This payload-based credential phishing email employed bypass tactics, including a hidden sender address and obfuscated text, to pose as an invoice for employee training.

Credential Phishing Attack Poses as a Location-based Security Alert

This payload-based credential phishing attack sent from a self-addressed spoofed email address posed as a security alert, indicating the user’s data had been accessed from a suspicious location and an HTML attachment needed to be reviewed or else their account would be locked.

Employee Sales Award-themed Credential Phishing Attack Impersonates Square

This link-based phishing attack impersonating Square used a pretext of an employee sales award to compromise account credentials.

Payload Credential Phishing Attack Incorporates a Tax Refund Theme

This payload-based attack was sent to a company executive using a tax refund theme as a pretext to get them to open an HTML file attached to a blank email, which led to a company-branded credential phishing page.

Executive Targeted in Attack Posing as Fake Financial Documents Distributed via SharePoint

This payload-based credential phishing attack targeted an executive with an email posing as financial documents shared via SharePoint and used foreign character substitution to bypass detection.

Executive Targeted in a Self-Addressed Escrow-Themed Credential Phishing Attack

This payload-based credential phishing attack sent from a self-addressed spoofed email account targeted an executive posing as a real estate document.

DocuSign Phishing Email Uses Fake Payroll and Retirement Worksheet to Steal Credentials

This payload-based credential phishing attack impersonated DocuSign and requested that recipients review employee payroll and retirement documents contained in an attached HTML file.

Credential Phishing Attack Poses as Executive’s Bonus Document

This payload-based credential phishing attack targeted an executive posing as an attached document needing review before receiving a company bonus.

Microsoft Password Expiration Pretext Used in Credential Phishing Attack

This phishing attack impersonates Microsoft using a password expiration theme to steal credentials via a malicious link.

Australian Tax Office Impersonated in Funds Transfer-themed Phishing Attack

This attack impersonates the Australian Taxation Office with a payment transfer theme and asks the recipient to validate their identity by leading them to a phishing page contained within an HTML attachment.

Wells Fargo Home Mortgage Payoff Quote Contains Credential Phishing Attachment

This attack impersonates Wells Fargo using a spoofed email address and a home mortgage payoff theme to steal credentials via an HTML attachment.

Blank Self-Addressed Spoofed Email Leads to Convincing Credential Phish

A spoofed email impersonates a settlement release in order to trick recipients into opening a phishing attachment.

Credential Phishing Email Tricks Employees Using Company HR Policy Changes

Attackers impersonate the human resources team to inform employees of salary increases, luring them to follow phishing links.

Adobe Acrobat Secure Fax Link Leads to Dropbox-Hosted Phishing Website

An attacker email containing an image of an Adobe Acrobat fax link leads to a phishing website hosted on Dropbox infrastructure.

Employee Benefits Eligibility Lure Used to Phish for Email Credentials

Attackers impersonate the HR department to deliver an updated Employee Benefits Eligibility Policy as part of a credential phishing attack.

DHL Fake Shipping Notification Used in HTML Credential Phishing Attack

Attackers impersonate DHL and ask the recipient to check their shipping documents, hidden behind a fake Microsoft 365 credential phishing page.

Paid Invoice Notification Used for Credential Phishing Attack

Attackers use an external compromised vendor account and a receipt confirmation to trick recipients into providing their Microsoft 365 credentials.

Fake Encrypted Secure Message Spoofed in Credential Phishing Attack

Attackers send what appears to be an encrypted message, similar to what you might receive from your bank, to trick recipients into providing Microsoft 365 login information.

Payroll Impersonation Designed to Elicit Quick User Response in Credential Phishing Attack

Attackers impersonate an encrypted Microsoft email focused on paystub registration to steal Microsoft 365 credentials.

DocuSign Brand Impersonation Leads to Credential Phishing Attacks

Attackers use well-known document management service DocuSign to trick users into providing Outlook login credentials.

Office 365 Image Evades Text Analysis in Credential Phishing Attack

Attackers rendered an Office 365 email as a single image file with an accompanying credential phishing link wrapping the image.

Salary Increase Update Sent to Steal Employee Credentials

Attackers impersonate the company payroll department to send a wage update that takes users to a OneDrive phishing page and steals Microsoft 365 credentials.

Filters

Attack Type

Impersonated Party

Impersonated Brand

Attack Goal

Attack Vector

Attack Tactic

Attack Theme

Attack Language

AI-Generated

See How Abnormal Stops Emerging Attacks

See a Demo