Search the repository of unique attacks observed by the Abnormal Intelligence team.
Attempted Payment Fraud Using Lookalike Domain and Real Invoices Targets Manufacturing Company

Attackers pose as existing vendors and use lookalike domain and real invoices in attempt to fraudulently update payment information.

Phishing Attack Disguised as Notification Informing VP Storage Capacity Limit Exceeded

Attackers disguise phishing email to VP at financial institution as notification that full storage capacity has been reached and emails will no longer be delivered.

Fake Email Account Deactivation Notice with Phishing Link Targeting Online Retailer

Attackers pose as the internal support team at an online retailer and claim the recipient's email account has been queued for deactivation in an attempt to steal credentials or install malware.

Brand Impersonation Phishing Attack Targets VIP Using Fake Zoom Meeting Invite

This phishing attack leverages brand impersonation in an attempt to trick a VIP into clicking on a phishing link disguised as a Zoom meeting invite.

Phishing Attack Impersonates Real Estate Agent Sending Fake Document Notification to Lawyer

This phishing attack impersonated a real estate agent using dotloop, a real estate transaction management software, to trick the recipient into visiting a phishing website.

Credential Phishing Attack Poses as a Secure Message Shared by the IRS

This link-based attack impersonated the IRS using the pretext of sharing a secure ShareFile message that led to a phishing site designed to steal email credentials.

Phishing Attack Impersonating FedEx Steal Personal and Financial Data Using Captcha Protection and MFA Bypass

This phishing attack impersonated FedEx using a fake shipping notification pretext to direct a recipient to a captcha-protected phishing page created to steal personal and financial information using MFA bypass tactics.

Phishing Attack Uses Pretext of Shared Tax Documents to Steal Employee Credentials

This link-based attack incorporated a fake file attachment posing as shared tax documents that led to a phishing page meant to steal email credentials across multiple email providers.

Email Poses as an Incoming ACH Payment with HTML Attachment Leading to Branded Credential Phishing Page

This payload-based attack posed as a fake incoming ACH payment masked as an automated email from an internal company system, which contained an HTML attachment that led to a branded phishing page intended to steal the recipient’s credentials.

Payload Credential Phishing Attack Poses as an HR Announcement About New Employee Benefits

This payload-based phishing attack posed as an announcement from the company human resources team about updates to the company’s employee benefits package and requested the recipient review a supposed updated handbook, which actually opened a phishing page to steal account credentials.

Phishing Attack Steals Credentials by Imitating HR Request to Review New Employee Handbook

This link-based attack imitated a company human resources email that announced the release of a new employee handbook, which included a link to a phishing page meant to steal an employee’s name and email credentials.

Response-based Phishing Attack Impersonates CFO to Compromise Australian myGov Credentials

This attack impersonated a company CFO using a pretext of employee rewards and recognition to solicit a response leading to a request for Australian myGov credentials.

Credential Phishing Attack Poses as an Automated Aging Report Notification

This payload-based attack posed as an aging report being shared by an automated internal system that contained an HTML attachment leading to a credential phishing page.

Multi-Stage Credential Phishing Attack Uses Office365-themed PDF Attachment and Legitimate Adobe Hosting Infrastructure

This payload-based attack contained a Office365-themed PDF attachment with an embedded link to a legitimate Adobe page, which included another link to a final credential phishing page.

Credential Phishing Attack Poses as a Security Update to Enable End-to-End Encryption

This link-based credential phishing attack disguised itself as a security update to add end-to-end encryption on all employee devices.

Attack Impersonating Compromised Third-Party to Share Document Leads to OneDrive Phishing Page

This link-based attack exploited the compromised account of an external third-party to make it appear that a vendor was sharing a link to a document about new dues, when the link actually led to a OneDrive phishing page to steal credentials.

Credential Phishing Attack Masquerades as an Employee Training Invoice

This payload-based credential phishing email employed bypass tactics, including a hidden sender address and obfuscated text, to pose as an invoice for employee training.

Credential Phishing Attack Poses as a Location-based Security Alert

This payload-based credential phishing attack sent from a self-addressed spoofed email address posed as a security alert, indicating the user’s data had been accessed from a suspicious location and an HTML attachment needed to be reviewed or else their account would be locked.

Employee Sales Award-themed Credential Phishing Attack Impersonates Square

This link-based phishing attack impersonating Square used a pretext of an employee sales award to compromise account credentials.

Payload Credential Phishing Attack Incorporates a Tax Refund Theme

This payload-based attack was sent to a company executive using a tax refund theme as a pretext to get them to open an HTML file attached to a blank email, which led to a company-branded credential phishing page.

Executive Targeted in Attack Posing as Fake Financial Documents Distributed via SharePoint

This payload-based credential phishing attack targeted an executive with an email posing as financial documents shared via SharePoint and used foreign character substitution to bypass detection.

Executive Targeted in a Self-Addressed Escrow-Themed Credential Phishing Attack

This payload-based credential phishing attack sent from a self-addressed spoofed email account targeted an executive posing as a real estate document.

DocuSign Phishing Email Uses Fake Payroll and Retirement Worksheet to Steal Credentials

This payload-based credential phishing attack impersonated DocuSign and requested that recipients review employee payroll and retirement documents contained in an attached HTML file.

Credential Phishing Attack Poses as Executive’s Bonus Document

This payload-based credential phishing attack targeted an executive posing as an attached document needing review before receiving a company bonus.

Microsoft Password Expiration Pretext Used in Credential Phishing Attack

This phishing attack impersonates Microsoft using a password expiration theme to steal credentials via a malicious link.

Australian Tax Office Impersonated in Funds Transfer-themed Phishing Attack

This attack impersonates the Australian Taxation Office with a payment transfer theme and asks the recipient to validate their identity by leading them to a phishing page contained within an HTML attachment.

Wells Fargo Home Mortgage Payoff Quote Contains Credential Phishing Attachment

This attack impersonates Wells Fargo using a spoofed email address and a home mortgage payoff theme to steal credentials via an HTML attachment.

Blank Self-Addressed Spoofed Email Leads to Convincing Credential Phish

A spoofed email impersonates a settlement release in order to trick recipients into opening a phishing attachment.

Credential Phishing Email Tricks Employees Using Company HR Policy Changes

Attackers impersonate the human resources team to inform employees of salary increases, luring them to follow phishing links.

Adobe Acrobat Secure Fax Link Leads to Dropbox-Hosted Phishing Website

An attacker email containing an image of an Adobe Acrobat fax link leads to a phishing website hosted on Dropbox infrastructure.

Employee Benefits Eligibility Lure Used to Phish for Email Credentials

Attackers impersonate the HR department to deliver an updated Employee Benefits Eligibility Policy as part of a credential phishing attack.

DHL Fake Shipping Notification Used in HTML Credential Phishing Attack

Attackers impersonate DHL and ask the recipient to check their shipping documents, hidden behind a fake Microsoft 365 credential phishing page.

Paid Invoice Notification Used for Credential Phishing Attack

Attackers use an external compromised vendor account and a receipt confirmation to trick recipients into providing their Microsoft 365 credentials.

Fake Encrypted Secure Message Spoofed in Credential Phishing Attack

Attackers send what appears to be an encrypted message, similar to what you might receive from your bank, to trick recipients into providing Microsoft 365 login information.

Payroll Impersonation Designed to Elicit Quick User Response in Credential Phishing Attack

Attackers impersonate an encrypted Microsoft email focused on paystub registration to steal Microsoft 365 credentials.

DocuSign Brand Impersonation Leads to Credential Phishing Attacks

Attackers use well-known document management service DocuSign to trick users into providing Outlook login credentials.

Office 365 Image Evades Text Analysis in Credential Phishing Attack

Attackers rendered an Office 365 email as a single image file with an accompanying credential phishing link wrapping the image.

Salary Increase Update Sent to Steal Employee Credentials

Attackers impersonate the company payroll department to send a wage update that takes users to a OneDrive phishing page and steals Microsoft 365 credentials.


Attack Type

Impersonated Party

Impersonated Brand

Attack Goal

Attack Vector

Attack Tactic

Attack Theme

Attack Language

See How Abnormal Stops Emerging Attacks

Get a Demo