This credential phishing attack features a vendor impersonation and malicious use of a Salesforce link. To begin, an attacker compromises the account of the Director of Operations at a contracting and construction service. The attacker then sends the target an email with a Salesforce link embedded in the message, claiming it is a link to shared documents. Most likely, the threat actor registered for a free trial of Salesforce, which is what allowed them to access the platform and create the link. By using a legitimate Salesforce link as the hook, the attacker hopes the target will believe the email is safe and click on the link. However, should the recipient click on the embedded link, an HTML file that is designed to steal sensitive information, including login credentials, will be automatically downloaded.

Older, legacy email security tools struggle to accurately flag this email as an attack because it uses legitimate Salesforce links, contains no attachments, and comes from a known, seemingly trustworthy domain. Modern, AI-powered email security solutions analyze the links and content and detect the unknown sender to correctly mark this email as an attack.

Status Bar Dots
AL Vendor Impersonation Salesforce Phishing Email

How Does This Attack Bypass Email Defenses?

This email attack bypasses traditional security solutions for multiple reasons, including the following:

  • Use of Legitimate Services: The attack leverages Salesforce links, which are typically trusted by users and organizations. Legacy security tools might whitelist such domains, allowing malicious links to bypass filters.
  • Lack of Attachments: Since the initial email does not contain the malicious payload but rather a link that leads to it, legacy tools that scan for attachments might miss this attack.
  • Sender Reputation: The email was sent from a legitimate domain that has been registered for three years. Legacy security tools often trust older domains, which can allow malicious emails from these domains to bypass security checks.

How Did Abnormal Detect This Attack?

This attack was detected using AI and ML by analyzing various factors, including the following:

  • Advanced Link Analysis: Unlike legacy tools, Abnormal performs in-depth analysis of links, including reputation checks and the behavior of linked pages, such as auto-downloads, to identify malicious intent.
  • Unknown Sender: The email comes from an unknown sender and domain that the target has never received emails from in the past. Abnormal flags this as suspicious, as it's unusual for a company to receive emails from completely unknown senders.
  • Content Analysis: Abnormal analyzes the content of the email to detect subtle signs of phishing attacks, such as the use of social engineering tactics and the creation of a sense of urgency, which were present in this email.

By recognizing established normal behavior and detecting these abnormal indicators, a modern email security solution has the ability to prevent this attack from reaching inboxes.

Please note the exact detection mechanism from Abnormal Security's system might include proprietary techniques and methodologies not disclosed here.

Analysis Overview




Credential Theft


External Compromised Account
Masked Phishing Link


Fake Document

Impersonated Party

External Party - Vendor/Supplier

See How Abnormal Stops Emerging Attacks

See a Demo