This credential phishing attack impersonates an internal HR administration system at a large American university. The pretext of the email is an invitation to review documents related to an updated employee payroll and benefits plan. The attacker directs the target to use the provided QR code to access their account and get more information about the policy changes. If the target scans the QR code, they are taken to a fake Microsoft landing page where login credentials or other sensitive information is at risk if they attempt to log in. To appear more legitimate, the attacker includes a confidentiality notice from the law firm Choate, Hall & Stewart, LLP at the bottom of the email.

Older, legacy email security tools struggle to identify this email as an attack because it was sent from an unknown sender, does not include known malicious links and includes confidentiality notices. Modern, AI-powered email security solutions identify the unusual sender using an unknown sender domain while analyzing the links and content to flag this email as an attack accurately.

Status Bar Dots
Dec26 Screenshot 1
Status Bar Dots
Dec26 Screenshot 2

The malicious QR code link leads to a fake Microsoft login page.

How Does This Attack Bypass Email Defenses?

This email attack bypasses traditional security solutions for multiple reasons, including the following:

  • Unknown Sender: The email comes from an unknown sender that the company has never received emails from before. This can bypass security solutions that only block known malicious senders. 
  • Lack of Known Malicious Links: The links in the email body are not known to be malicious. Legacy systems often rely on databases of known malicious URLs, so if an attacker uses a new or unknown malicious site, the email could bypass these checks.
  • Use of Confidentiality Notices: The email contains legal and confidentiality notices common in legitimate business emails. This could make the email appear more legitimate to legacy systems.

How Did Abnormal Detect This Attack?

This attack was detected using AI and ML by analyzing various factors, including the following:

  • Unusual Sender Domain: The sender's email address "noreply@ffjrnjrrjurrrr[.]com" is not associated with the company it claims to represent. Abnormal detects such discrepancies and flags the email as suspicious.
  • Link and Content Analysis: Abnormal analyzes the content linked to the QR code. This involves examining the website or data related to the QR code for malicious content or suspicious activities.
  • Unknown Sender: The email comes from an unknown email that the recipient has never corresponded with. This is a strong signal that the email could be malicious.

By recognizing established normal behavior and detecting these abnormal indicators, a modern email security solution has the ability to prevent this attack from reaching inboxes.

Please note the exact detection mechanism from Abnormal Security's system might include proprietary techniques and methodologies not disclosed here.

Analysis Overview




Credential Theft


Personalized Email Subject
Maliciously Registered Domain
Masked Phishing Link


Account Update
Employee Benefits
Human Resources Announcement

Impersonated Party

Internal System

Impersonated Brands


See How Abnormal Stops Emerging Attacks

See a Demo