In this credential phishing attack, the threat actor compromises the email account of an administrative assistant at a Connecticut-based school district and sends the target a notification regarding a shared document. Because the account is hosted on a legitimate domain registered more than 20 years ago, any messages sent using this address will likely bypass security tools that only scan emails for suspicious-looking domains or domains with no known reputation. Additionally, the targeted employee works at an education organization with which the impersonated school district has an existing relationship, which increases the likelihood of the recipient believing the email is genuine. The email states that a document titled “[School District Name] - Q2 PROT/FUNDING DOC 2024” is ready for review and provides a button labeled “View Shared Document.” If the target clicks on the link to view the document, they are redirected to a fake Microsoft login page designed to steal any login information the recipient provides. This page is hosted on Webflow, a legitimate website builder tool that anyone can use for free when staging work-in-progress websites.  

Older, legacy email security tools struggle to properly identify this email as an attack because it comes from an established, longstanding domain, employs social engineering techniques, and lacks malicious attachments. Modern, AI-powered email security solutions analyze the links, detect the unknown sender, and identify recipient field anomalies to mark this email as an attack correctly.

Status Bar Dots
AI School District Administrative Assistant Impersonator Phishing Email E
Status Bar Dots
AI School District Administrative Assistant Impersonator Phishing Login

The attacker creates a spoofed Microsoft login page hoping the target will enter their credentials.

How Does This Attack Bypass Email Defenses?

This email attack bypasses traditional security solutions for multiple reasons, including the following:

  • Reputation of Sender's Domain: The email originates from a domain with a long-standing reputation of 26 years. Legacy security tools often rely heavily on domain reputation, which can cause them to overlook malicious emails from compromised but reputable domains.
  • Social Engineering: The email employs social engineering by pretending to share a document for review, a common and legitimate activity in organizational settings. Legacy tools lack the functionality to analyze the context deeply enough to recognize the malicious intent.
  • Lack of Malicious Attachments: Since the email does not contain any attachments but rather a malicious link, it bypasses traditional security measures that scan for known malware signatures in attachments.

How Did Abnormal Detect This Attack?

This attack was detected using AI and ML by analyzing various factors, including the following:

  • Link Analysis: Abnormal analyzes links contained in emails, including the reputation of the linked domain, the page content, and any redirections. The malicious link to a fake Microsoft login page would have been scrutinized and identified as a threat.
  • Unknown Sender Analysis: Abnormal analyzes the sender's behavior, including the fact that this is the first time they have sent an email to the target, and identifies this as a potential sign of a phishing attempt.
  • Recipient Field Anomalies: The email contains no email addresses in the "To" field. This is unusual and can signal a mass phishing attack, which Abnormal's AI can detect.

By recognizing established normal behavior and detecting these abnormal indicators, a modern email security solution has the ability to prevent this attack from reaching inboxes.

Please note the exact detection mechanism from Abnormal Security's system might include proprietary techniques and methodologies not disclosed here.

Analysis Overview




Credential Theft


External Compromised Account
Masked Phishing Link


Fake Document

Impersonated Party

External Party - Vendor/Supplier

See How Abnormal Stops Emerging Attacks

See a Demo