In this credential phishing attack, the threat actor impersonates an assistant project manager at a commercial general contractor. After compromising the email account of the impersonated employee, the attacker emails the target a message inviting them to view and bid on an upcoming construction project along with a link purportedly to information on the contract. If the target clicks on the link, they are directed to a page hosted on Padlet, a legitimate content-sharing platform. The Padlet page contains an image designed to look like a Microsoft-branded document preview page that includes the impersonated contractor’s logo as well as a thumbnail image of an Excel spreadsheet named “[Impersonated Company Name] RFP.” If the target clicks on the thumbnail to view the spreadsheet, they will be taken to a phishing website designed to steal sensitive information.

Older, legacy email security tools struggle to accurately flag this email as an attack because it comes from a legitimate sending domain, utilizes a real content-sharing platform, and contains social engineering techniques. Modern, AI-powered email security solutions analyze the links, content, and unknown sender to mark this email as an attack correctly.

Status Bar Dots
March 15th Screenshot 1
Status Bar Dots
March 15th Screenshot 2

The attacker creates an image that looks like a fake Microsoft-branded Excel document purportedly sharing information about an upcoming construction bid.

How Does This Attack Bypass Email Defenses?

This email attack bypasses traditional security solutions for multiple reasons, including the following:

  • Legitimate-Looking Email Address and Sender Identity: The use of an email address that appears to be from a legitimate source can easily bypass legacy security tools that rely on simple blacklist-based or domain reputation-based filtering. These tools might not flag the email as suspicious if the domain has not been previously associated with malicious activity.
  • Use of Legitimate Services for Malicious Purposes: The attack leverages "padlet[.]com," a legitimate service, to host the phishing link. Legacy security tools often safelist known legitimate services, which can allow malicious links hosted on these platforms to pass through without scrutiny. 
  • Sophisticated Social Engineering Tactics: The email content is carefully crafted to mimic legitimate business communications, complete with a plausible scenario (a bid invitation) and a polite tone. Legacy tools that primarily scan for malicious payloads or known phishing phrases might not detect the nuanced social engineering cues that indicate a phishing attempt.

How Did Abnormal Detect This Attack?

This attack was detected using AI and ML by analyzing various factors, including the following:

  • Link Analysis: Abnormal analyzes URLs embedded in emails, assessing the linked domain's reputation and analyzing the landing page's content. This technology can identify phishing websites—even if hosted on legitimate services like Padlet—by evaluating the risk in real-time.
  • Content Analysis: Abnormal analyzes the language used and detects the presence of urgency cues, impersonation of services, and other psychological manipulation techniques in the email. This comprehensive analysis helps detect phishing attempts that rely on deception rather than traditional malicious payloads.
  • Unknown Sender Analysis: Abnormal analyzes the sender's behavior, including the fact that this is the first time they have sent an email to the target, and identifies this as a potential sign of a phishing attempt.

By recognizing established normal behavior and detecting these abnormal indicators, a modern email security solution has the ability to prevent this attack from reaching inboxes.

Please note the exact detection mechanism from Abnormal Security's system might include proprietary techniques and methodologies not disclosed here.

Analysis Overview




Credential Theft


External Compromised Account
Masked Phishing Link


New Vendor
Fake Document

Impersonated Party

External Party - Vendor/Supplier

See How Abnormal Stops Emerging Attacks

See a Demo