This fake billing scam features an impersonation of Chatham Financial, a global financial risk management firm. To begin, the attacker compromises the domain “requena[.]es” and changes the sender name of “Chatham Financial” to appear more legitimate. Using official-sounding language, the email informs the recipient of an outstanding invoice and provides a Google Drive link to view it and make a payment.

The link leads to a fake Microsoft SharePoint attachment previewer, which is just an image file embedded with a malicious link. If the recipient attempts to view the fake attachment, they will land on a credential phishing website where their sensitive information is at risk. 

Older, legacy email security tools have difficulty identifying this email as an attack because of an inability to detect the discrepancy between the sender and the email content, the use of social engineering techniques, and the lack of attachments. Modern, AI-powered email security solutions analyze the content, links, and recipient identity to flag this email as an attack accurately. 

Status Bar Dots
Oct23 Screenshot1
Status Bar Dots
Oct23 Screenshot2

The attacker created an image with an embedded link that looks like a Microsoft SharePoint attachment previewer.

How Does This Attack Bypass Email Defenses?

This email attack bypasses traditional security solutions for multiple reasons, including the following:

  • Mismatched Sender Information: The email comes from "teatro.principal@requena[.]es," but the content of the email is related to Chatham Financial. This mismatch can be overlooked by legacy security tools, which may not be able to analyze the email's content in relation to the sender's information.
  • Social Engineering: The email uses social engineering techniques, including posing as a financial institution and conveying a sense of urgency, to trick the recipient into clicking the link. These techniques can be difficult for traditional security solutions to detect.
  • Lack of Attachments: The email does not contain any attachments. Many legacy security tools focus on scanning attachments for malicious content, so an email without attachments may not be flagged as suspicious.

How Did Abnormal Detect This Attack?

This attack was detected using AI and ML by analyzing various factors, including the following:

  • Content Analysis: Abnormal analyzes the email's content and detects the mismatch between the sender's email address and the content related to Chatham Financial. This discrepancy is a strong indicator of a phishing attempt.
  • Link Analysis: Abnormal analyzes the links included in the email. The link to the Google Docs presentation could be a potential phishing attempt, and Abnormal's system flags this for further investigation.
  • Role-Based Analysis: Abnormal's system analyzes the recipient of the email. In this case, the recipient is a Senior Finance Manager, a role that is often targeted in business email compromise attacks.

By recognizing established normal behavior and detecting these abnormal indicators, a modern email security solution has the ability to prevent this attack from reaching inboxes.

Please note the exact detection mechanism from Abnormal Security's system might include proprietary techniques and methodologies not disclosed here.

Analysis Overview




Credential Theft


Masked Phishing Link


Fake Invoice

Impersonated Party


See How Abnormal Stops Emerging Attacks

See a Demo