This multi-layered credential phishing attack features the impersonation of an internal IT system to help employees reset their passwords. The attacker first compromises a legitimate domain, “support@superseguro[.]cl,” then sends the recipient an expired password notification. The target is informed that the system will automatically log them out and reset their password unless they click the provided link to keep their current password. To increase legitimacy, the attacker creates a fake landing page similar to Google Workspace environments. If the recipient enters their credentials, sensitive information is at risk. 

Older, legacy email security tools struggle to accurately identify this email as an attack because of the compromised sender address, the legitimate-looking content, and the embedded link. Modern, AI-powered email security solutions analyze the links, domains, and content to flag this email as an attack correctly.

Status Bar Dots
Oct20 Screenshot1
Status Bar Dots
Oct20 Screenshot2

The attacker created a fake landing page where sensitive information is at risk if the recipient enters their credentials.

How Does This Attack Bypass Email Defenses?

This email attack bypasses traditional security solutions for multiple reasons, including the following:

  • Compromised Sender Address: Because the email appears to be sent from a legitimate email address, “support@superseguro[.]cl,” it can bypass traditional security checks that only look at the sender's address.
  • Legitimate-looking Content: The email content is designed to look like a legitimate password expiration notification, which can trick both users and traditional security tools that rely on keyword or phrase matching.
  • Embedded Link: The email contains a link embedded in the text, which can bypass security checks that only look at the plain text of the email. The link leads to a potentially malicious site, but legacy tools may not detect this.

How Did Abnormal Detect This Attack?

This attack was detected using AI and ML by analyzing various factors, including the following:

  • Link Analysis: Abnormal analyzes the embedded link in the email and determines that it leads to a potentially malicious site. This is a strong indicator of a phishing attempt.
  • Domain Analysis: Abnormal recognizes that the email comes from an unknown domain that has never sent messages to the sender in the past. This is a strong sign that the message could be malicious.
  • Content Analysis: The content of the email, which appears to be a password expiration notification, is a common tactic used in phishing attempts. Abnormal recognizes this and flags the email as potentially malicious.

By recognizing established normal behavior and detecting these abnormal indicators, a modern email security solution has the ability to prevent this attack from reaching inboxes.

Please note the exact detection mechanism from Abnormal Security's system might include proprietary techniques and methodologies not disclosed here.

Analysis Overview




Credential Theft


Spoofed Display Name
Fake Website


Password Expiration

Impersonated Party

Internal System

See How Abnormal Stops Emerging Attacks

See a Demo