This multi-layered credential phishing attack features an impersonation of the Chief Procurement Officer of the U.S. Department of Agriculture.

The email looks like an official invitation to bid on government projects. It contains authoritative language and instructions for downloading documents to begin bidding. The attacker uses the words “U.S. Department of Agriculture” in the sending domain to appear more legitimate. Additionally, at the bottom of the email, the attacker includes another spoofed email address, “bids-enquiry@usda-govus[.]com,” which also mimics official U.S. government contact information.

The final element of the malicious email is a PDF attachment with a QR code. The attacker will likely harvest their credentials if the recipient scans the QR code or interacts with the attachment.

Legacy security tools struggle to accurately flag this email as an attack because of the lack of malicious links in the body, an inability to recognize an unknown sender, and limited functionality to detect content mimicry. Modern, AI-powered security tools analyze the sending domain, domain age, and email content to identify this email as an attack successfully.

Status Bar Dots
Oct4 Screenshot
Status Bar Dots
Screenshot 2023 09 26 at 11 42 52 AM

This QR code in the PDF attachment leads to a phishing site where credentials are at risk.

How Does This Attack Bypass Email Defenses?

This email attack bypasses traditional security solutions for multiple reasons, including the following:

  • No Malicious Links: The email contains no links in the body text. Traditional security solutions often rely on detecting malicious links to flag phishing emails. In this case, the absence of links could allow the email to bypass these security measures.
  • Unknown Sender: The email and domain used to send this message are unknown to the recipient's company. This can make it more difficult for traditional security solutions to identify the email as malicious based on previous interactions with the sender.
  • Content Mimicry: The email content is professionally written and mimics a legitimate invitation from a government department to bid on a project. This bypasses content-based filters that look for keywords or phrases associated with phishing or spam emails.

How Did Abnormal Detect This Attack?

This attack was detected using AI and ML by analyzing various factors, including the following:

  • Sending Domain: The email comes from "u.s.department of agriculture approved@stellargazeplc[.]com". The sender's email address seems to be spoofing the U.S. Department of Agriculture, but the domain "stellargazeplc[.]com" does not match the expected domain for such an organization. This mismatch is a red flag for Abnormal's system.
  • Domain Age: The domain is two months old, which is relatively new and could be a sign of a potential phishing domain.
  • Email Content: The email content is an invitation to bid on a project, a common tactic used in phishing attacks to lure the recipient into providing sensitive information or downloading malicious attachments.

By recognizing established normal behavior and detecting these abnormal indicators, a modern email security solution has the ability to prevent this attack from reaching inboxes.

Please note the exact detection mechanism from Abnormal Security's system might include proprietary techniques and methodologies not disclosed here.

Analysis Overview




Credential Theft


Masked Phishing Link


New Vendor

Impersonated Party

Government Agency

Impersonated Brands


See How Abnormal Stops Emerging Attacks

See a Demo