In this attack, the email contained a message informing the recipient they had an outstanding payment due and provided a link to view the bill. The email was sent from a compromised external account the recipient had previously communicated with and the attacker hijacked a previous email thread in the compromised account from more than a year-and-a-half earlier to deliver the message.

Status Bar Dots
TeamViewer Malware Link Email

Had the recipient clicked on the link included in the email, they would have been directed to a webpage that resembles a site used to download TeamViewer, a legitimate remote access tool. While the page shared a similar color theme and style as the real website, it was not an exact copy, indicated by spelling errors in the browser tab (“TeamVievver”) and page content (“New Verison”). If the recipient were to interact with any of the objects on the page, an .EXE file would have been downloaded onto their computer, which, if executed, would have compromised their computer with malware.

Status Bar Dots
Fake TeamViewer Malware Page

How Does This Attack Bypass Email Defenses?

Because this email was sent from a legitimate account that has been compromised without a history of abuse and a history of communication with the recipient, there are no direct signals indicating the email’s origin is malicious. The URL found in the email is one that has not been previously detected as malicious, allowing it to bypass traditional tools that rely on known bad indicators.

How Can This Attack Be Detected?

A behavioral system is required to stop attacks that use never-before-seen URLs. By understanding the intent of the link, alongside other signals acquired through content analysis, a cloud email security platform understands when an email may be malicious. 

Analysis Overview




Malware Delivery


Hijacked Email Thread
External Compromised Account


Overdue Payment

Impersonated Party

External Party - Vendor/Supplier

Impersonated Brands


See How Abnormal Stops Emerging Attacks

See a Demo