This credential phishing attack features a compromised vendor email from Brasada Ranch, a vacation destination in Oregon. The attacker, pretending to be a vacation planner from the resort named Allison Clark, shares a brief message and a link that the recipient might mistakenly believe is a receipt or some other information about the purported refund. To help increase the appearance of legitimacy, the attacker included Allison’s email signature. The attacker also used a URL with a similar domain to Brasada Ranch’s, only adding an s at the end—a change that could easily be overlooked. Therefore, the link is likely malicious, and sensitive information is at risk should the recipient engage. 

Legacy email security tools have trouble detecting this email as an attack because of the compromised sending address and the lack of malicious attachments or content. Modern, AI-powered security tools correctly identify this email as an attack because of the unknown sender, the suspicious links, and similar sender and recipient domains.

Status Bar Dots
Sep6 Screenshot

How Does This Attack Bypass Email Defenses?

This email attack bypasses traditional security solutions for multiple reasons, including the following:

  • Compromised Email Address: The email appears to be from a legitimate source, “,” which could bypass legacy security tools that only check for known malicious senders.
  • Lack of Malicious Attachments: The email contains an attachment. However, it's an image file, which is less likely to be flagged as malicious by legacy security tools that primarily look for executable files or documents with macros.
  • No Direct Malicious Content: The email contains no apparent malicious content in the body text. It only informs the recipient about a refund and provides a link to view the receipt, potentially bypassing content-based filters of legacy security tools.

How Did Abnormal Detect This Attack?

This attack was detected using AI and ML by analyzing various factors, including the following:

  • Unknown Sender: The email is from an unknown sender that the recipient has never received emails from in the past. Abnormal's AI identifies this as a potential threat, even if the sender's domain is not known to be malicious.
  • Suspicious Links: The email contains a suspicious link “” Abnormal's detection models analyze the link and identify it as potentially malicious, even if it's not on known blacklists.
  • Similar Sender and Recipient: The email appears to be from and to the same address “” This is unusual for legitimate communications and is flagged by Abnormal's AI.

By recognizing established normal behavior and detecting these abnormal indicators, a modern email security solution has the ability to prevent this attack from reaching inboxes.

Please note the exact detection mechanism from Abnormal Security's system might include proprietary techniques and methodologies not disclosed here.

Analysis Overview




Credential Theft


Compromised Sending Domain


Financial Services

Impersonated Party

External Party - Vendor/Supplier

See How Abnormal Stops Emerging Attacks

See a Demo