This credential phishing attack impersonates a vendor providing updates on a service agreement. The attacker poses as a VP of Digital Platforms for NDM Hospitality, hijacks an existing email thread, and inserts themselves into the conversation. The perpetrator claims a time-sensitive service negotiation agreement is attached and provides a link purportedly to download the document securely. The link directs the target to a fake Microsoft SharePoint landing page that the attacker built using Padlet, a file-sharing tool. Embedded in the Padlet landing page is another link that leads to a credential phishing website where sensitive information is at risk of being stolen.

Older, legacy email security tools struggle to adequately flag this email as an attack because it comes from a legitimate domain, contains no immediately identifiable malicious links, and lacks the traditional phishing indicators. Modern, AI-powered email security solutions can detect anomalies within various aspects of the email, analyze the links, and detect social engineering techniques to identify this email as an attack correctly.

Status Bar Dots
Dec27 Screenshot 1
Status Bar Dots
Dec27 Screenshot 2

The attacker creates a fake Microsoft SharePoint landing page with an embedded phishing link.

How Does This Attack Bypass Email Defenses?

This email attack bypasses traditional security solutions for multiple reasons, including the following:

  • Legitimate Sender Domain: The email was sent from a legitimate domain, “ndmhospitality[.]com,” which could have bypassed security checks focusing on blocked or suspicious domains.
  • Lack of Malicious Links: The email contains links, but none are immediately identifiable as malicious. Legacy tools often rely on known malicious URLs or domains, and if the links in the email are not on those lists, the email could bypass the security checks.
  • No Obvious Phishing Indicators: The email does not contain obvious phishing indicators, such as requests for personal information, urgent language, or spelling and grammar errors, often used by legacy tools to identify phishing attempts.

How Did Abnormal Detect This Attack?

This attack was detected using AI and ML by analyzing various factors, including the following:

  • Link Analysis: While the links in the email might not be immediately identifiable as malicious, Abnormal analyzes the links in depth, checking for signs of malicious intent—such as redirect chains or newly registered domains.
  • Anomaly Detection: Abnormal detects anomalies in various aspects of the email, such as the time it was sent, the language used, or the presence of certain elements that are unusual for the sender or recipient—such as the sudden subject change regarding a "SETTLEMENT FINAL BID." 
  • Social Engineering Detection: Abnormal detects signs of social engineering, a tactic often used in malicious emails. In the context of this email, the subject line "SETTLEMENT FINAL BID" might be a way to create a sense of urgency or importance, prompting the recipient to act quickly. Abnormal's ML models are trained to recognize such social engineering tactics.

By recognizing established normal behavior and detecting these abnormal indicators, a modern email security solution has the ability to prevent this attack from reaching inboxes.

Please note the exact detection mechanism from Abnormal Security's system might include proprietary techniques and methodologies not disclosed here.

Analysis Overview




Credential Theft


Hijacked Email Thread
External Compromised Account
Masked Phishing Link


Fake Document
Fake Payment

Impersonated Party

External Party - Vendor/Supplier

See How Abnormal Stops Emerging Attacks

See a Demo