In this multi-layered credential phishing attempt, an attacker first compromises a domain from Titan Worldwide, “holly@titan-worldwide[.]com.” After browsing through previous correspondence and finding a thread discussing outstanding invoices, the threat actor copies and pastes it at the bottom of the attack email to appear more legitimate. The goal is for the recipient to see the past communications and presume the email follows up on an existing and authentic thread.

The attacker also includes a link to what appears to be a Microsoft SharePoint gateway webpage with a CAPTCHA test, often used for human verification when viewing sensitive documents. If the recipient completes the prompt, they will be taken to a fake login site where sensitive information is at risk.

Older, legacy email security tools have trouble properly identifying this email as an attack because of the compromised email address, the legitimate-looking content, and the lack of malware. Modern, AI-powered email security solutions holistically analyze the links, sender behavior, and content to accurately flag this email as an attack.

Status Bar Dots
Oct18 Screenshot
Status Bar Dots
Oct18 Screenshot2

The attacker created a fake Microsoft SharePoint CAPTCHA test webpage that leads to a credential phishing website.

How Does This Attack Bypass Email Defenses?

This email attack bypasses traditional security solutions for multiple reasons, including the following:

  • Compromised Email Address: The email appears to be from a legitimate source "holly@titan-worldwide[.]com," which could bypass legacy security tools that only check for known malicious senders.
  • Legitimate-looking Content: The email content resembles a typical business communication, including a conversation thread and business-related details. This can make it harder for traditional security tools to identify it as malicious.
  • Lack of Malware: The email does not contain any malware or explicitly malicious content that traditional security tools would detect. Instead, it relies on social engineering to trick the recipient into clicking on the links.

How Did Abnormal Detect This Attack?

This attack was detected using AI and ML by analyzing various factors, including the following:

  • Link Analysis: Abnormal analyzes all links included in the email body. Even if the links are disguised or embedded within text, the system identifies if they lead to malicious websites.
  • Behavioral Analysis: Abnormal analyzes the sender's behavior, including past interactions with the recipient or the company. In this case, the system flags that the email is from an unknown sender that the company has never interacted with before.
  • Content Analysis: Abnormal analyzes the content of the email for signs of social engineering or other malicious tactics. In this instance, the system flags the request to click on links or view attachments as suspicious.

By recognizing established normal behavior and detecting these abnormal indicators, a modern email security solution has the ability to prevent this attack from reaching inboxes.

Please note the exact detection mechanism from Abnormal Security's system might include proprietary techniques and methodologies not disclosed here.

Analysis Overview




Credential Theft


External Compromised Account
Masked Phishing Link


Fake Document

Impersonated Party

External Party - Vendor/Supplier

See How Abnormal Stops Emerging Attacks

See a Demo