In this credential phishing attack, the threat actor impersonates a vendor of the target’s company and sends the target a message about an overdue invoice. The attacker uses an email account registered via a legitimate free webmail service based in Argentina and sets the sender display name as “Accounts Payable” to appear more authentic. To create a sense of urgency, the attacker makes the subject line “Re: Overdue Statement & Invoices QuickBooks.” In the body of the email, the attacker states an invoice is attached, but because it is password-protected, the target will need to enter their login credentials in the “Secure email Portal” to view it. Also in the body of the email is an embedded image designed to appear as a notification from QuickBooks with a button purportedly to view the invoice. However, if the target clicks on the button, they will be redirected to a phishing website where any sensitive information provided will be stolen by the attacker.

Older, legacy email security tools struggle to accurately flag this email as an attack because it employs sophisticated social engineering techniques, lacks malicious attachments, and comes from an unknown sender. Modern, AI-powered email security solutions analyze the context, links, and unknown sender to correctly mark this email as an attack.

Status Bar Dots
AL Vendor Impersonation Fake Quick Books Notification Email

How Does This Attack Bypass Email Defenses?

This email attack bypasses traditional security solutions for multiple reasons, including the following:

  • Sophisticated Social Engineering: The attack crafts a scenario that creates urgency and leverages the recipient's trust in the impersonated brands. Legacy security tools may not be equipped to understand the context or the subtleties of social engineering tactics, focusing instead on more straightforward indicators of phishing or malware.
  • Lack of Malicious Attachments: If the email does not directly include malicious attachments but rather uses an image attachment and social engineering to prompt the recipient to perform an action (like replying to the email or navigating to a phishing site independently), it may not trigger the detection mechanisms of legacy tools that primarily scan for these elements.
  • Unknown Sender: If the email is sent from an account that hasn't been previously flagged, legacy tools might not flag it as suspicious. Attackers often use accounts that lack a negative history to evade reputation-based filters.

How Did Abnormal Detect This Attack?

This attack was detected using AI and ML by analyzing various factors, including the following:

  • Context Analysis: Abnormal can analyze the context and intent behind emails. This allows it to identify suspicious requests, such as those asking a recipient to review and sign documents in an unexpected manner, even when the email uses trusted brand names to appear legitimate.
  • Link Analysis: Even if the primary phishing attempt is conducted through an image or text, Abnormal’s analysis capabilities extend to scrutinizing links and attachments for malicious content. This ensures that even if a recipient is directed to take action outside of the email itself, any linked phishing sites or malicious documents can still be identified.
  • Unknown Sender Analysis: Abnormal analyzes the behavior of the sender, such as the fact that this is the first time they have sent an email to the recipient, and identifies this as a potential sign of a phishing attempt.

By recognizing established normal behavior and detecting these abnormal indicators, a modern email security solution has the ability to prevent this attack from reaching inboxes.

Please note the exact detection mechanism from Abnormal Security's system might include proprietary techniques and methodologies not disclosed here.

Analysis Overview




Credential Theft


Free Webmail Account
Masked Phishing Link


Fake Document
Fake Invoice

Impersonated Party

External Party - Vendor/Supplier

See How Abnormal Stops Emerging Attacks

See a Demo