Threat actors often use information about salary and payroll as a hook to trick recipients into completing the desired action, and this works especially well when it comes to salary and payroll. In this email, the attacker provides the target with a link to a paystub registration via what appears to be an encrypted Microsoft email. Legitimacy is added through display name deception, with the from name presented as Microsoft Safe Servers®, complete with the registered trademark symbol. Upon clicking the HTML document, the user is directed to a credential phishing site that looks similar to the Microsoft login page.

Status Bar Dots
62b381404f7a3a0a94ccff0e 991339859
Status Bar Dots
62b3813f4f7a3ab582ccff02 1345289105

Why It Bypassed Traditional Security

This attack is sent from a legitimate domain and the entire attack is contained within the HTML attachment so it cannot be blocked by the company firewall. The URL within the attachment is not one that has been seen before, so it cannot be detected as malicious by threat intelligence-based systems. 

Detecting the Attack

A behavioral system is required to stop attacks that use never-before-seen URLs. By understanding the intent of the link, alongside other signals acquired through content analysis and display name analysis, a cloud email security platform understands when an email may be malicious. 

Risk to Organization

Because this email is related to pay, it might cause even the most diligent employees to click to open the Excel file, despite the number of grammatical errors included. Once an employee enters their Microsoft credentials, attackers have full access to the account, which they can then use to look for sensitive information or as a launch point for other attacks on the employee’s coworkers, customers, or vendors. 

Analysis Overview




Credential Theft


Maliciously Registered Domain


Fake Document

Impersonated Brands


See How Abnormal Stops Emerging Attacks

See a Demo