This attack was  designed to resemble a tax refund document sent via secure message. It was sent to a company executive by spoofing their email address, making it look like they sent the document to themselves. The sender’s display name, however, was set to the target company’s name rather than the targeted employee’s name. The body of the email was blank and only contained an HTML attachment with the filename “copy00248.html.”.

Status Bar Dots
Tax Refund Credential Phishing Email

Upon opening the attached HTML file, the recipient would have been directed to a phishing page pre-populated with their email address. The phishing page stated that the recipient must authenticate themselves by verifying their account password “because you’re accessing sensitive info.” The phishing page was also customized with a background containing the target company’s branding and the company’s logo in the login prompt. 

Status Bar Dots
Tax Return Credential Phishing Page

Why It Bypassed Traditional Security

Because there was no text in the body of the email, natural language processing had nothing to analyze that would indicate malicious intent. The URL within the attachment had not been previously detected as malicious, allowing it to bypass traditional tools that rely on known bad indicators. 

Detecting the Attack

A holistic detection system that is able to extract and analyze URLs from email attachments is required to assess the intent of any links, alongside other signals acquired through content analysis, to determine whether the email is malicious. HTML attachments are commonly used to deliver phishing payloads without having to include the malicious content in the email itself. The sending and receiving email addresses in this email appeared to be identical, which is an indicator that this message is potentially malicious.

Risk to Organization

Because the phishing page contained company-specific branding, it may lead an employee to mistakenly believe that it is a legitimate login page. If an employee entered credentials into the phishing page, attackers would have full access to their email account, which they can then use to look for sensitive information or as a launch point for other attacks on the employee’s coworkers, customers, or vendors. 

Analysis Overview




Credential Theft


Self-Addressed Spoofed Email
Blank Email Body
Branded Phishing Page


Fake Document

Impersonated Party

Internal System

See How Abnormal Stops Emerging Attacks

See a Demo