In this multi-step credential phishing and malware attack, the attacker compromises a legitimate email account and sends the target an alert regarding shared files. The email claims the impersonated vendor was notified by its automated system that the target has not yet viewed an invoice and, therefore, it is being resent. Included in the email is a button labeled “VIEW SHARED FILES”, which is purportedly linked to the referenced document. If the target clicks on this button, they are redirected to a Canva page designed to appear as an invoice notification with a second link. Should the target click on this second link to view the shared documents, they will be automatically redirected twice and then prompted by a fake Microsoft login page to enter their credentials. However, any information entered into this page will be stolen by the perpetrator and could be used to launch additional attacks.

Older, legacy email security tools struggle to accurately identify this email as an attack because it contains no malicious attachments, uses legitimate links, and relies on social engineering to entice the target to take further action. Modern, AI-powered email security solutions analyze the links, assess the content, and flag the lack of recipient information to correctly mark this email as an attack.

Status Bar Dots
AI Phishing Malware Canva Fake Microsoft Login Email
Status Bar Dots
AI Phishing Malware Canva Fake Microsoft Login Canva

The attacker hosts the landing page on Canva to avoid detection.

Status Bar Dots
AI Phishing Malware Canva Fake Microsoft Login

The attacker creates a spoofed Microsoft login page that allows the bad actor to steal login credentials and access the target’s environment.

How Does This Attack Bypass Email Defenses?

This email attack bypasses traditional security solutions for multiple reasons, including the following:

  • No Malicious Attachments: The email does not contain any attachments, often a focus of legacy security tools. Instead, it includes a link to a Canva page, which can be more challenging for these tools to analyze. 
  • Legitimate Links: The link in the email is a file hosted on Canva, a legitimate and commonly used service. This can make it harder for security tools to identify a link as potentially malicious. 
  • Social Engineering: The email uses social engineering techniques to trick the recipient into clicking the links. These tactics are often difficult for legacy tools to detect as they require an ability to understand context and intent.

How Did Abnormal Detect This Attack?

This attack was detected using AI and ML by analyzing various factors, including the following:

  • Link Analysis: The email includes a link to a Canva page. Abnormal analyzes the content of the linked site to detect potential threats, even if the link is hosted on a known and trusted domain. 
  • Content Analysis: Abnormal analyzes the content of the email for signs of phishing or other malicious tactics. In this case, the email uses social engineering tactics, such as urgency, to trick the recipient into clicking the link. 
  • Lack of Recipient Information: The email does not contain any email addresses in the “To” field. This is unusual and can be a sign of a mass phishing attack, which Abnormal's AI can detect.

By recognizing established normal behavior and detecting these abnormal indicators, a modern email security solution has the ability to prevent this attack from reaching inboxes.

Please note the exact detection mechanism from Abnormal Security's system might include proprietary techniques and methodologies not disclosed here.

Analysis Overview




Malware Delivery
Credential Theft


External Compromised Account
Masked Phishing Link


Fake Invoice

Impersonated Party

External Party - Vendor/Supplier

See How Abnormal Stops Emerging Attacks

See a Demo