In this credential phishing attack, the threat actor poses as a vendor and uses a compromised email address to send what appears to be confirmation of an invoice payment. The attacker disguises the email as a message sent via QuickBooks’ bill pay services and includes the recipient’s name in the subject line for added authenticity.

The details in the supposed confirmation are deliberately vague to compel the recipient to click the “See Payment Details” button to learn more about the invoice and payer. Unlike an actual payment confirmation from QuickBooks which is a formatted HTML email, the content of this message is actually a bitmap image file with an embedded phishing link. If the recipient clicks the button to see what the payment is for, they could be taken to a malicious website that could steal their personal information or infect their computer with malware.

Older, legacy email security tools struggle to correctly identify this email as an attack because it is sent from a legitimate domain from whom the recipient has not previously received emails and lacks obviously malicious payloads. Modern, AI-powered email security solutions identify the suspicious attachment, analyze the link, and conduct contextual analysis to accurately flag this email as an attack.

Status Bar Dots
Quickbooks Payment Phishing Attack Email E

How Does This Attack Bypass Email Defenses?

This email attack bypasses traditional security solutions for multiple reasons, including the following:

  • Legitimate Sender Domain: The email is sent from a legitimate domain, which has been registered for a long time (18 years). Legacy systems often trust older domains, which can be exploited by attackers.
  • Non-Malicious Attachment: The email contains an image attachment with a non-malicious content type (image/bmp). Because legacy systems focus on scanning for malicious attachment types, a benign image file could bypass these checks.
  • Unknown Sender: The email is sent from an unknown email and domain that the company has never received emails from in the past. This could bypass legacy systems that only flag emails from known malicious senders or domains.

How Did Abnormal Detect This Attack?

This attack was detected using AI and ML by analyzing various factors, including the following:

  • Unknown Domain: The email is sent from an unknown email and domain that the company has never received emails from in the past. Abnormal flags such emails as potential threats, as they could be attempts to bypass traditional security measures.
  • Attachment Analysis: Although the attachment is a non-malicious image file, Abnormal can analyze the context in which the attachment is sent. If it's unusual for the recipient to receive such attachments from unknown senders, this can be flagged as a potential threat.
  • Link Analysis: The image attachment contains a link. Abnormal's system can analyze this link for potential threats, even if it is not flagged by traditional URL blacklists.

By recognizing established normal behavior and detecting these abnormal indicators, a modern email security solution has the ability to prevent this attack from reaching inboxes.

Please note the exact detection mechanism from Abnormal Security's system might include proprietary techniques and methodologies not disclosed here.

Analysis Overview




Credential Theft


Personalized Email Subject
Spoofed Display Name
Masked Phishing Link


Fake Payment Receipt

Impersonated Party


Impersonated Brands


See How Abnormal Stops Emerging Attacks

See a Demo