Salary updates are a tactic often used by attackers, as human defenses are weakened when it comes to personal matters like an increase in wages. In this instance, attackers prey on this tendency alongside a note about it being the final update following the COVID-19 pandemic. To run the attack, threat actors contain it entirely in the HTML attachment, and display name spoofing is used to make recipients believe that it is being sent from the company’s payroll department.

Status Bar Dots
6285615c3520ee1b019f67e8 899955359
Status Bar Dots
6285615c3520ee3e369f67e9 497156130

Why It Bypassed Traditional Security

The email address from which the attack was sent is valid and comes from a legitimate domain, and the entire attack is contained within the HTML attachment. As a result, it cannot be blocked by a company firewall or proxy, and the URL within the attachment itself is one that is never-before-seen by the platform. 

Detecting the Attack

Behavioral systems are required to stop never-before-seen URL-based attacks that are unknown to threat intelligence-based solutions. Furthermore, content analysis and display name analysis in combination with the URL behavioral signals should be used to detect the urgency and tone elicited from the recipient. By understanding that this email uses display name deception and invokes a sense of curiosity in the recipient, a cloud email security platform can detect and block it before it reaches end users. 

Risk to Organization

If the target clicked on this attachment and then entered their OneDrive password, attackers would have full access to the Microsoft 365 account from which to uncover sensitive information or launch additional attacks. And if this attack reached multiple people within the organization, that could have ripple effects throughout the company as teams spend time tracking and remediating dozens of compromised accounts. 

Analysis Overview




Credential Theft


Self-Addressed Spoofed Email


Employee Incentive
Fake Document

Impersonated Party

Employee - Other

Impersonated Brands


See How Abnormal Stops Emerging Attacks

See a Demo