In this attack, the initial email impersonated a company CFO to outline a new “rewards and recognition program” to help employees stay “motivated and engaged.” The email includes types of rewards employees can expect to receive, including thank you letters, prize money, and  recognition in a company newsletter or social media. The message ends with a request for the recipient to respond as soon as the email has been read. The email was sent from a freely-available Gmail account and the sender’s display name was set to match the impersonated executive’s name.

Status Bar Dots
Response-based myGov Credential Phishing Email 1

Had the recipient responded to the initial email, they would have received a follow-up message from the impersonated CFO telling them that their myGov credentials were needed to verify their identity and pay their rewards. myGov is a website run by the Australian government that centralized access to numerous government services.

Status Bar Dots
Response-based myGov Credential Phishing Email 2

How Does This Attack Bypass Email Defenses?

Because the attack is text-based, without any other indicators of compromise, there is little for a secure email gateway to use to determine malicious intent. Thes email was sent from a Gmail account, a free webmail service available to anyone. As a result, there is no bad domain reputation for traditional security providers to discover, and the email passes all authentication checks for SPF, DKIM, and DMARC. 

How Can This Attack Be Detected?

Natural language processing enables cloud email security solutions to detect the presence of suspicious requests, indicating when an email should undergo additional scrutiny. Integration with the Microsoft API allows an email security solution to use Active Directory to process the organizational chart and understand VIP emails to know when an executive is being impersonated via display name deception.

What are the Risks of This Attack?

If an employee responded with their myGov credentials, attackers would be able to access their myGov account, as well as all of the government services linked to it. While this may not directly impact the business, this type of attack can distract employees from their work and in some cases, make them fearful of their future with the company. 

Analysis Overview




Credential Theft


Free Webmail Account
Spoofed Display Name


Employee Incentive

Impersonated Party

Employee - Executive

Impersonated Brands


See How Abnormal Stops Emerging Attacks

See a Demo