In this credential phishing attack, the threat actor poses as an HR administrator and sends the target an email with the subject line “Payroll Update For 2023” and a message stating that the company is transitioning to a new payroll company. The attacker uses a spoofed email address hosted on a legitimate domain that includes the word “careers,” likely in the hopes the target might mistake the message as real communication from the company’s HR department. The email informs the recipient that they must acknowledge this change and includes a link labeled “PAYROLL UPDATE,” purportedly where the target can complete the required authentication process. To create a sense of urgency, the email states that this authentication process must happen by the end of the day. However, if the target clicks on the link, they will be redirected to a phishing website where sensitive data, including payment details and banking information, is at risk of being stolen. 

Older, legacy email security tools struggle to accurately flag this email as an attack because the attacker uses a spoofed email address, includes legitimate-looking content, and purposefully does not include malicious, executable attachments. Modern, AI-powered email security solutions detect the unknown sender domain, analyze the links, and use behavioral analysis techniques to identify this email as an attack correctly. 

Status Bar Dots
Dec28 Screenshot

How Does This Attack Bypass Email Defenses?

This email attack bypasses traditional security solutions for multiple reasons, including the following:

  • Spoofed Email Address: The email comes from a spoofed email address, “careers@cgadcareers[.]com,” which appears legitimate. Traditional email security tools may be unable to detect this as a threat.
  • Legitimate-looking Content: The email content is designed to look like a legitimate HR communication about a payroll update. This can trick traditional security tools that rely on keyword detection.
  • Lack of Malicious Attachments: The email contains no attachments, which is often a red flag for traditional email security tools.

How Did Abnormal Detect This Attack?

This attack was detected using AI and ML by analyzing various factors, including the following:

  • Unknown Sender Domain: The sender's domain is new to the recipient. Abnormal flags this as a potential threat, as it could indicate a spoofed email address.
  • Link Analysis: The email links to an external site, "clt1631333.benchurl[.]com." Abnormal analyzes this link for potential threats, which traditional security tools may be unable to do.
  • Behavioral Analysis: Abnormal uses behavioral analysis to detect potential threats. The email requests the recipient to "update [their] authentication immediately," which Abnormal recognizes as a common tactic used in phishing attacks.

By recognizing established normal behavior and detecting these abnormal indicators, a modern email security solution has the ability to prevent this attack from reaching inboxes.

Please note the exact detection mechanism from Abnormal Security's system might include proprietary techniques and methodologies not disclosed here.

Analysis Overview




Credential Theft


Spoofed Display Name
Masked Phishing Link


Account Update
Human Resources Announcement

Impersonated Party

Internal System

See How Abnormal Stops Emerging Attacks

See a Demo