As email security platforms become increasingly adept at preventing attacks, threat actors find new ways to bypass systems. A relatively new version of this is to create an email as a single image file, with an accompanying credential phishing link wrapping the image.

In this email, the attacker has created an Office 365 confirmation email that asks users to click a link in order to keep their current password. While this is not an uncommon approach, what makes it unique is that the entire email is simply an image that uses an anchor link to forward the recipient to an Office 365 credential phishing page. To add additional legitimacy, and to prevent automated solutions from analyzing the webpage, a captcha is added before the user can enter their login credentials. 

Status Bar Dots
6287ef1f6e11f6ce9ca06f19 1597347765
Status Bar Dots
6287ef1f6e11f67ccea06f13 2023185736
Status Bar Dots
6287ef1f6e11f6d8ada06f18 506770175

Why It Bypassed Traditional Security

Presenting the email as only an image and adding a captcha prevents traditional email security solutions from inspecting the content of the email. In addition, the URL within the attachment is one that has not been previously detected the threat intelligence, allowing it to bypass traditional tools that rely on known bad indicators.  

Detecting the Attack

A behavioral system is required to stop attacks that use never-before-seen URLs. By understanding the intent of the link, alongside other signals acquired through content analysis, a cloud email security platform understands when an email may be malicious. 

Risk to Organization

This email relies on brand recognition and urgency to trick users into clicking the link—even if just to see what the document contains. Once an employee enters their Outlook credentials, attackers have full access to the email account, which they can then use to look for sensitive information or as a launch point for other attacks on the employee’s coworkers, customers, or vendors. 

Analysis Overview




Credential Theft


Hijacked Email Thread
Content Obfuscation via Image
External Compromised Account


Password Expiration

Impersonated Brands


See How Abnormal Stops Emerging Attacks

See a Demo