This credential attack features an impersonation of the National Health Service (NHS) in the UK. The attacker compromises a legitimate NHS domain, “d.nosce@nhs[.]net,” and attaches a PNG image of a Microsoft SharePoint window containing what appears to be important scanned documents. Embedded in the PNG is a link the target is led to believe directs to a Microsoft SharePoint portal where they can preview the purported scanned documents.

In reality, the preview document link leads to a credential phishing site where sensitive information is at risk. Because the attacker has compromised an official NHS domain, engaging in social engineering is easier since the recipient is more likely to assume the message and instructions are legitimate. 

Older security tools have difficulty correctly detecting this email as an attack because of the sender’s domain reputation, the attachment type used, and the empty recipient field. Modern, AI-powered security solutions analyze all attachments and links for potential threats and detect the unknown sender to identify this email as an attack accurately.

Status Bar Dots
Oct11 Screenshot

How Does This Attack Bypass Email Defenses?

This email attack bypasses traditional security solutions for multiple reasons, including the following:

  • Sender's Domain Reputation: The email comes from a domain with a good reputation—"nhs[.]net." Traditional security tools often rely on domain reputation for filtering out malicious emails, and this email could bypass such checks due to the reputation of the sender's domain.
  • Attachment Type: The email contains a PNG attachment, a common and generally safe file type. Legacy security tools might not flag this email based on the attachment type.
  • Empty Recipient Fields: The “To” field is empty, which could mean the email was sent as a BCC to multiple recipients. This might enable the email to bypass security checks that flag emails sent to numerous recipients.

How Did Abnormal Detect This Attack?

This attack was detected using AI and ML by analyzing various factors, including the following:

  • Unknown Domain: The domain name used to send this email is an unknown domain that the recipient company has never sent messages to in the past. This is a strong sign that the message could be malicious.
  • Attachment Analysis: The email contains an attachment. Abnormal's AI analyzes all attachments for any potential threats.
  • Link Analysis: The email contains a link. Abnormal's AI analyzes the link to determine if it leads to a malicious website, even if it is not known to be malicious.

By recognizing established normal behavior and detecting these abnormal indicators, a modern email security solution has the ability to prevent this attack from reaching inboxes.

Please note the exact detection mechanism from Abnormal Security's system might include proprietary techniques and methodologies not disclosed here.

Analysis Overview




Credential Theft


Masked Phishing Link


Fake Document

Impersonated Party

Government Agency

Impersonated Brands


See How Abnormal Stops Emerging Attacks

See a Demo