This credential phishing attack features an impersonation of a project manager from Silverthorn Construction Supply, a real wholesale produce distributor in Ontario. The attacker utilizes a look-alike domain, “silverthornsupply[.]co,” which is one letter off from the legitimate domain, “silverthornsupply[.]com,” making it difficult to detect as malicious. In the initial message, the attacker claims an RFQ (request for quote) is attached; however, this is just a ploy to encourage the target to engage. When the target replies that the RFQ wasn’t attached, the attacker responds with a link purportedly to the RFQ, with a file name formatted to impersonate a Microsoft Excel spreadsheet. This link leads to a Microsoft Survey form, which the attacker has titled “MICROSOFT SHAREPOINT” to make the survey appear to be a SharePoint landing page and seem more legitimate. The form includes a link labeled “ACCESS SHAREPOINT,” which likely leads to a credential phishing website where sensitive information, including login credentials or payment details, is at risk of being stolen.  

Older, legacy email security tools struggle to accurately identify this email as an attack because the attacker utilizes social engineering techniques to sound legitimate and uses a newer, unknown domain. Modern, AI-powered email security solutions can analyze the domain age and sender information as well as conduct employee impersonation detection to identify this email as an attack correctly.

Status Bar Dots
Dec11 Screenshot 1
Status Bar Dots
Dec11 Screenshot 2

The target replies to the initial email.

Status Bar Dots
Dec11 Screenshot 3

The attacker responds with a malicious link.

Status Bar Dots
Dec11 Screenshot 4

The malicious link leads to a fake Microsoft SharePoint landing page where sensitive information is at risk if the link is clicked on.

How Does This Attack Bypass Email Defenses?

This email attack bypasses traditional security solutions for multiple reasons, including the following:

  • Social Engineering: The attacker crafts the email as a follow-up to a previous conversation, making it seem legitimate and urgent. This can bypass security solutions that do not analyze the context of the email.
  • Domain Age: Attackers often use new domains to bypass security checks. In this case, the sender's domain is only 35 days old. Legacy systems may not be able to check the age of the sender's domain. 
  • Unknown Sender: The email comes from an unknown sender that the company has never received emails from before. This can bypass security solutions that only block known malicious senders.

How Did Abnormal Detect This Attack?

This attack was detected using AI and ML by analyzing various factors, including the following:

  • Domain Age Analysis: Abnormal checks the age of the sender's domain. In this case, the domain is only 35 days old, a common characteristic of phishing attacks.
  • Sender Analysis: Abnormal tracks the reputation of senders and flags this email because it comes from a domain and email address that the recipient has never received messages from in the past.
  • Employee Impersonation Detection: Abnormal cross-references the sender's details with an internal database to detect potential employee impersonation. In this case, the employee's title who appears to have sent this message matches a title in the recipient's employee database, indicating a potential attack.

By recognizing established normal behavior and detecting these abnormal indicators, a modern email security solution has the ability to prevent this attack from reaching inboxes.

Please note the exact detection mechanism from Abnormal Security's system might include proprietary techniques and methodologies not disclosed here.

Analysis Overview




Credential Theft


Look-alike Domain
Masked Phishing Link


New Vendor
Fake Document

Impersonated Party

External Party - Vendor/Supplier

See How Abnormal Stops Emerging Attacks

See a Demo