For this dual-purpose attack, the threat actor spoofs an email address on a legitimate domain and sends a message to the target claiming the impersonated company’s automated system informed them that a recent invoice had not been processed. Included in the email is a link purportedly to view the invoice in question that, when clicked, directs the recipient to a fake Adobe Acrobat document viewer with a prompt to enter their login credentials. If the target provides their email address and password, they will be stolen by the attacker. Additionally, the shared document is either a fake invoice or a real invoice with the banking information changed, which means if the target processes payment for the invoice, the funds will be sent to the attacker.

Older, legacy email security tools struggle to accurately identify this email as an attack because the email appears to come from a legitimate domain, contains no executable attachments, and includes subtle social engineering techniques. Modern, AI-powered email security solutions analyze the links and sender and detect signals indicating an invoice scam to properly flag this email as an attack.

Status Bar Dots
Attack Library Dual Phishing Fake Billing Scam Email E
Status Bar Dots
Attack Library Dual Phishing Fake Billing Scam Login

The attacker creates a fake Adobe Acrobat landing page to steal login credentials.

How Does This Attack Bypass Email Defenses?

This email attack bypasses traditional security solutions for multiple reasons, including the following:

  • Sophisticated Spoofing: The email appears to be from a legitimate source “accounts@tgt[.]com[.]au,” which could bypass traditional security measures that rely on blacklisting known malicious senders.
  • Lack of Attachments: The email does not contain any attachments, which are often a red flag for traditional email security tools. Instead, it contains a link, which can be harder for legacy systems to analyze for threats.
  • Social Engineering: The email uses social engineering techniques to trick the recipient into clicking the links. These tactics are often difficult for legacy tools to detect as they require an ability to understand context and intent.

How Did Abnormal Detect This Attack?

This attack was detected using AI and ML by analyzing various factors, including the following:

  • Sender Analysis: Abnormal flags the email because it was sent from a domain and email address that the company has never received messages from before. This is a strong sign of a potential threat.
  • Link Analysis: Abnormal analyzes the content of the email and identifies potentially malicious links. In this case, the body of the email contains a link that the system flagged as suspicious.
  • Invoice Scam Detection: Abnormal recognizes common types of phishing scams, such as invoice scams. The system identified the email as a potential invoice scam based on the content of the email.

By recognizing established normal behavior and detecting these abnormal indicators, a modern email security solution has the ability to prevent this attack from reaching inboxes.

Please note the exact detection mechanism from Abnormal Security's system might include proprietary techniques and methodologies not disclosed here.

Analysis Overview




Payment Fraud
Credential Theft


Spoofed Email Address
Masked Phishing Link


Account Update
Fake Invoice

Impersonated Party

External Party - Vendor/Supplier

See How Abnormal Stops Emerging Attacks

See a Demo