In this credential phishing attack, the threat actor spoofs the email address of a real Washington, D.C.-based attorney and sends the target a message purportedly related to tax documents. To increase the appearance of legitimacy, the attacker incorporates the name of the company at which the target works into the sender display name.

Embedded in the email is a JPG that appears to be an eFax notification informing the recipient they have received a document from the IRS with a link to view the PDF. Since the end of January is the start of tax season in the US, the attacker is taking advantage of the built-in urgency of this time of year by using a fake IRS document notification. However, unlike an authentic eFax notification in which only the text “Click here” would be a hyperlink, the entire image is hyperlinked. If the recipient clicks the image to view the document, they will likely be directed to a fake IRS landing page where sensitive information is at risk of being stolen. 

Older, legacy email security tools struggle to accurately flag this email as an attack because it comes from a spoofed and unknown sender and uses a JPG attachment. Modern, AI-powered email security solutions analyze the links, attachments, and unknown sender to mark this email correctly as an attack.

Status Bar Dots
AL IRS Impersonator Email

The attacker uses the IRS logo in the fake PDF attachment to appear authentic.

How Does This Attack Bypass Email Defenses?

This email attack bypasses traditional security solutions for multiple reasons, including the following:

  • Spoofed Sender: The email appears to be from a legitimate email address. This could potentially bypass legacy security tools if they are not equipped to verify the authenticity of the sender's email address.
  • Attachment Type: The email contains an attachment that is a JPG image. Legacy security tools may not be able to scan the content of image files for malicious content, allowing the email to bypass their filters.
  • Unknown Sender: The email comes from a sender and domain that the target has never received emails from in the past. Legacy security tools might be unable to track and analyze the reputation of unknown senders over time.

How Did Abnormal Detect This Attack?

This attack was detected using AI and ML by analyzing various factors, including the following:

  • Attachment Analysis: Abnormal analyzes the content of attachments, including image files. The presence of a JPG image attachment in this email raised suspicion.
  • Link Analysis: The email contains a link, which Abnormal analyzes for potential threats. In this case, the link was flagged as suspicious.
  • Unknown Sender: The email comes from an unknown sender and domain that the target has never received emails from in the past. Abnormal flags this as suspicious, as it's unusual for a company to receive emails from completely unknown senders.

By recognizing established normal behavior and detecting these abnormal indicators, a modern email security solution has the ability to prevent this attack from reaching inboxes.

Please note the exact detection mechanism from Abnormal Security's system might include proprietary techniques and methodologies not disclosed here.

Analysis Overview




Credential Theft


Fake Attachment
Spoofed Display Name
Masked Phishing Link


Fake Document
Tax Matter

Impersonated Party

Government Agency

Impersonated Brands


See How Abnormal Stops Emerging Attacks

See a Demo