In this email, the attacker is impersonating Wells Fargo home mortgage and provides an attachment containing a supposed payoff quote for the recipient’s home mortgage. The sending email address spoofs the same sending domain as the recipient email address, and the sender’s display name is changed to give the recipient the impression the email is coming from a email address.

Status Bar Dots
Wells Fargo mortgage payoff phishing email

When a recipient opens the HTML attachment, they are presented with a phishing page that is prefilled with their email address and asks them to enter their password because they’re “accessing sensitive info.”

Status Bar Dots
Mortgage payoff HTML attachment phishing page

Why It Bypassed Traditional Security

There is a URL within the attachment that has never been detected as malicious, allowing it to bypass traditional tools that look for known bad indicators. The spoofed domain does not have an effective DMARC policy in place to reject any unauthorized senders that attempt to send emails from an address on the domain.

Detecting the Attack

It is necessary to use a behavioral system to prevent attacks that use URLs that have never been seen before. A cloud email security platform can identify malicious emails by understanding the intent of the link as well as other signals acquired through content analysis. By integrating with the Microsoft API, email security solutions can use ActiveDirectory to process organizational charts and understand vendor emails to detect when real estate vendors are being impersonated.

Risk to Organization

As soon as an employee enters their credentials, attackers have full access to their email account, which they can use to access sensitive information or to launch other attacks on coworkers, customers, or vendors. This also provides access to the entire Microsoft environment, where attackers can search through documents in SharePoint or OneDrive, or find information in Microsoft Teams.

Analysis Overview




Credential Theft


Spoofed Email Address


Real Estate Transaction

Impersonated Brands

Wells Fargo

See How Abnormal Stops Emerging Attacks

See a Demo