This credential phishing attack involves the impersonation of an internal IT administrator. Using official-sounding language, the attacker informs the target of blocked messages not appearing in the recipient’s inbox. To appear more legitimate, the threat actor utilizes the actual administrator email of the recipient’s company as a mask. The message includes a list of emails with subject titles and several live links the recipient can click on to resolve the issue. If the recipient interacts with any of the links, sensitive information is likely at risk.  

Older, legacy email security tools have difficulty detecting this email as an attack because of the lack of malicious attachments, the use of a phishing link that is not obviously malicious, and the advanced social engineering tactics used by the attacker. Modern, AI-powered email security solutions analyze the links, attachments, and attacker behavior to flag this email as an attack accurately.

Status Bar Dots
Sep25 Screenshot

How Does This Attack Bypass Email Defenses?

This email attack bypasses traditional security solutions for multiple reasons, including the following:

  • Lack of Malicious Attachments: The email contains an attachment, but it's an image file "72[.]png," which is not typically associated with malware. Legacy systems often focus on executable files or documents with macros, so they might not flag this email based on the attachment.
  • Phishing Link in Body: The email contains a link to a website "https://ladiesinternationalpokerseries[.]com" that is likely a phishing site. However, the URL is not obviously malicious, and legacy systems might not be able to analyze the content of the linked site.
  • Social Engineering Tactics: The email uses social engineering tactics, including creating a sense of urgency by stating that there are pending messages for delivery. Legacy systems often struggle to detect these types of psychological manipulations.

How Did Abnormal Detect This Attack?

This attack was detected using AI and ML by analyzing various factors, including the following:

  • Link Analysis: Abnormal analyzes the links included in the email body. The link in this email, "https://ladiesinternationalpokerseries[.]com," likely leads to a phishing site, which is a strong indicator of a malicious email.
  • Attachment Analysis: Abnormal analyzes the attachments included in the email. While the attachment in this email is an image file "72.png," not typically associated with malware, Abnormal Security can detect if it's being used in a suspicious context.
  • Behavioral Analysis: Abnormal uses behavioral analysis to detect unusual patterns in the email, such as using social engineering tactics. The email creates a sense of urgency by stating that there are pending messages for delivery, a common tactic used in phishing attacks.

By recognizing established normal behavior and detecting these abnormal indicators, a modern email security solution has the ability to prevent this attack from reaching inboxes.

Please note the exact detection mechanism from Abnormal Security's system might include proprietary techniques and methodologies not disclosed here.

Analysis Overview




Credential Theft


Spoofed Email Address


Security Update

Impersonated Party

Internal System

See How Abnormal Stops Emerging Attacks

See a Demo