4 Examples of Advanced Email Threats Evading Detection in User Inboxes
When Abnormal detects advanced email threats, we frequently hear from prospective clients about the effectiveness of post-delivery controls like URL rewriting—a tool used to protect users from malicious links embedded in emails. Many organizations rely on these mechanisms, along with browser agents and web gateways, as compensating security measures. The belief is that even if a malicious email makes it to the inbox, these controls will minimize the risk.
However, the reality is more complex. Post-delivery controls can often be bypassed, particularly in the case of sophisticated threats that are designed to evade detection. URL rewrites, for example, are not always effective against threats that disguise themselves as legitimate or change dynamically after delivery.
Here, I’ll examine a few types of advanced email threats that persist in user inboxes despite these controls. We'll explore how these threats can slip past common security measures and why a proactive, pre-delivery defense is essential in combating them.
1. Multi-stage Phishing From a Compromised Account Abusing an ArcGIS Site
In this first example, the email message originates from a compromised external account and the threat actor is abusing ArcGIS to host a path to a credential phishing page.
Looking at the component parts, we can see three URLs—the initial shortened URL, the URL expanded at the time of the click, and the actual payload URL that requires a click from the abused ArcGIS survey page.
When I run the first URL in a publicly-available URL scanner, I get an error:
When I try the second URL, I don’t get an error, but rather a benign verdict:
As you can see, the ArcGIS URL is not currently condemned. If the victim clicks on “View PDF Online” or “Submit”, they will be sent to a credential phishing page.
What’s interesting here is that the significant majority of traditional URL rewriting services that come from SEGs will not make it past that first click and redirect. The original URL would have been rewritten, and at the time of click, that initial URL and its expanded counterpart from the redirect would have been assessed. The URL rewrite vendor is not going to perform that second click, meaning they will miss the eventual payload.
Fortunately, browser-based controls are less limited in terms of what can be analyzed—they aren’t beholden to a rewritten URL, long redirect chains, etc. Browser-based controls can inspect all web traffic for a given user, assuming the browser agent is installed. This is extremely helpful when combatting multi-stage payload delivery, as we see here.
With that said, let’s look at the third and final URL destination:
In this case, if a victim user was leveraging this browser protection component, they would have been prevented from accessing the actual credential phishing page, even though the message was allowed to persist in the inbox.
2. DHL Impersonation Leading to QR Code Credential Phishing
Abnormal detected the following email attack in real time as an obvious DHL impersonation, but in this case, it’s sitting in the user's inbox more than a day later.
Scanning the QR code will take the victim to: hxxps://restaurantesmiescondite[.]com/commad/popular[.]html?[redacted].
This is definitely not a DHL URL, nor did the message originate from DHL.
Checking the extracted URL in the same URL scan tool results in a “benign” verdict, but a single vendor in VirusTotal (Fortinet) gives me a phishing verdict:
I decided to send this extracted link to a SafeLinks-protected mailbox to see what Microsoft thought. I was surprised to discover that the link is being blocked at the time of click, even though the malicious URL was initially delivered:
Even though the URL itself is condemned, the URL within the QR code will not be rewritten. This means that the block page I'm seeing from SafeLinks is irrelevant. The user would not be protected by this control, as the payload was delivered within a QR code.
3. Microsoft Billing Impersonation From Xero Abuse
In this next attack example, detected by Abnormal, the threat actor impersonates Microsoft and abuses Xero.
If a user were to click on the link, they would see the following page, prompting them to call the same number from the initial threat message. There is not a payload in the traditional sense.
For any who are unfamiliar with this particular threat technique, the threat actor’s goal is to get the end-user to call the phone number. Calling the number will result in interaction with a human, pretending to be tech support for the impersonated organization (Microsoft in this case). The fake agent on the other end of the phone will prompt the victim to initiate a remote desktop session, normally under the guise of “Show me your screen, and I will help you cancel this payment from your device.” This remote desktop session is normally facilitated via legitimate services such as AnyDesk.
If the user doesn’t go through with the remote desktop session but is still on the phone, the threat actor will typically pivot to personal information theft.
When I run this URL through the checker, I get a benign verdict:
4. Dutch VIP Impersonation With End-User Engagement (No Payload)
In the last example attack, Abnormal detected an impersonation of a VIP during a client's POV. Since the POV is read-only, we can track user engagement with threats—opens, forwards, replies, etc.—a few of which are detailed in the following images.
Because this message does not carry a payload, post-delivery time-of-click controls don’t really exist or provide protection. Rather, the hope is that end-users can identify and report this message. Sadly, we often see that end-users fall victim to such messages, as is the case here.
This message is written in Dutch, and I will use a translation service (DeepL) to render it in English where necessary.
Original Message:
English Translation:
“Hello [Victim Name] Do you have a moment? I need you for an assignment. Please reply with your mobile number so I can tell you how to proceed. Kind regards”
This same message was sent to three different recipients, one of whom began engaging with the threat actor just seven minutes post-delivery:
The threat actor then replies:
English Translation:
“Okay, I'm in a meeting session and I want us to work together on something important. I have selected a few employees who should receive a gift for their hard work and dedication to the growth of the company, especially at this stage, to motivate and encourage the team to be more proactive and enthusiastic in future projects. I need your help with this, but I'm not sure what the rest of my schedule looks like today. Please let me know if you can help me in a few minutes or in the next hour. I don't want you to ruin the surprise, so it's very important to me that you remain confidential.”
The victim continues engaging with the threat actor from there, eventually resulting in a request to get a number of gift cards, each pre-loaded with 100 euros.
Invest in AI-Powered Email Protection That Stops Threats Before User Interaction
As you can see, threat actors are constantly applying new attack techniques to exploit your users. Relying solely on security controls that act after an email reaches the inbox is no longer adequate to fully protect organizations from sophisticated attacks. Modern threats frequently use obfuscated payloads or hide behind legitimate services, and many contain no payloads at all—just text or phone numbers. This makes traditional security measures ineffective against risky user behavior.
Abnormal Security takes a different approach, offering advanced, AI-driven protection that detects and neutralizes these threats before users engage with them. By analyzing the nuances of each email and leveraging behavioral data from thousands of signals, Abnormal Security provides the comprehensive protection organizations need to defend against even the most advanced attacks.
Interested in learning more about how Abnormal protects your inbox? Schedule a demo today!