This credential phishing attack features an impersonation of an internal IT system asking the recipient to change their login credentials for Microsoft Office 365. In a cleverly designed attack, the body of the email contains an image attachment that mimics a password change screen. In reality, the PNG attachment includes an external link that likely leads to a malicious and fake landing page where credentials are at risk. To further increase credibility, the attacker includes an official-sounding notice at the bottom of the email discussing confidentiality, which many large organizations that deal with proprietary information add to official correspondence. Lastly, the attacker’s sender name incorporates the recipient’s company, which improves the likelihood that the message could be mistaken for official communication. 

Legacy security tools have difficulty detecting this email as an attack because of the spoofed email address, the lack of malicious attachments, and the absence of typical phishing language in the body of the email. Modern, AI-powered security solutions analyze the links, sender/recipient behavior, and attachments to identify this email as an attack accurately.

Status Bar Dots
Sep29 Screenshot

How Does This Attack Bypass Email Defenses?

This email attack bypasses traditional security solutions for multiple reasons, including the following:

  • Spoofed Email Address: The email appears to be from a legitimate email address, "mrice@riceelectricllc[.]com," which could bypass security checks that only look at the sender's email address.
  • Lack of Malicious Attachments: The email contains an attachment, but it's an image file, "11.99[.]png," which is typically considered safe. Legacy systems might not thoroughly scan such files for hidden threats.
  • Absence of Typical Phishing Language: If the email doesn't contain typical phishing language or urgent requests that legacy systems are programmed to detect, it might not be flagged as suspicious.

How Did Abnormal Detect This Attack?

This attack was detected using AI and ML by analyzing various factors, including the following:

  • Behavioral Analysis: Abnormal analyzes the behavior of the sender and recipient. In this case, the system flagged the email because it comes from an unknown domain with which the recipient has no prior interactions.
  • Link Analysis: Abnormal analyzes the links included in the attachment. Even if the link isn't already flagged as dangerous in a database, the AI detects other potentially malicious elements.
  • Attachment Analysis: Abnormal analyzes the attachments included in the email. Although the attachment is an image file, typically considered safe, the AI can detect other suspicious characteristics.

By recognizing established normal behavior and detecting these abnormal indicators, a modern email security solution has the ability to prevent this attack from reaching inboxes.

Please note the exact detection mechanism from Abnormal Security's system might include proprietary techniques and methodologies not disclosed here.

Analysis Overview




Credential Theft


Spoofed Display Name


Password Expiration

Impersonated Party

Internal System

Impersonated Brands


See How Abnormal Stops Emerging Attacks

See a Demo