This attack first features a compromised vendor, whose legitimate email threads are copied and pasted into an attack email that is sent from a look-alike domain. The vendor’s real domain is “” but the attacker changes it to “,” replacing the “i” with an “l.” The attacker pretends to be “Sandy” and references the prior thread when asking the recipient to process an $82,600 invoice, which the attacker also attaches to the email. The attacker CCs “” and “” in an effort to stay connected, should the recipient accidentally reply all.

Since the attack uses conversational language and a safe attachment, legacy tools have trouble detecting this as an attack. By utilizing sender behavior analysis, attachment inspection, and employee spoofing detection, Abnormal can stop this attack.

Status Bar Dots

How Does This Attack Bypass Email Defenses?

This email attack bypasses traditional security solutions for multiple reasons, including the following:

  • Unknown Sender Information: The email sender is unknown to the company, and the fully qualified domain name (FQDN) used to send the email is also unknown. Legacy tools might not have comprehensive databases to identify such potential threats.
  • Attachment Types: The email contains two attachments of types image/png and application/pdf. These file types are generally considered safe and might not raise suspicions in legacy security systems.
  • Body Link Analysis: There are links in the email body that might look legitimate, but legacy tools might not be able to perform in-depth analysis or use tools like SafeBrowse to check for malicious intent.

How Did Abnormal Detect This Attack?

This attack was detected using AI and ML by analyzing various factors, including the following:

  • Sender Behavior Analysis: Abnormal analyzes the sender's behavior and communication patterns to identify anomalies. This might include detection of domain age, sender FQDN rarity, and unknown sender emails.
  • Attachment and Link Inspection: Abnormal inspects content within attachments (e.g., processed OCR for images or PDFs) and evaluates body links, which can help spot possible threats or malicious content within the email.
  • Employee Spoofing Detection: Abnormal can cross-reference email sender information with the company's employee database, effectively detecting potential cases of employee spoofing that might otherwise go unnoticed.

By recognizing established normal behavior and detecting these abnormal indicators, a modern email security solution has the ability to prevent this attack from reaching inboxes.

Please note the exact detection mechanism from Abnormal Security's system might include proprietary techniques and methodologies not disclosed here.

Analysis Overview




Payment Fraud


Look-alike Domain


Fake Invoice

Impersonated Party

External Party - Vendor/Supplier

See How Abnormal Stops Emerging Attacks

See a Demo