When SEGs Fail: Attackers Exploit Vendor Relationships for Credential Phishing
In today’s interconnected supply chains, trust is everything—but attackers are finding ways to exploit it. By leveraging compromised vendor accounts, threat actors launch sophisticated phishing campaigns that bypass traditional email defenses and take control of key user accounts.
During a recent proof of value (POV), Abnormal Security detected a multi-stage credential phishing attack that unfolded in under 30 minutes. The attack began with a phishing email from a trusted vendor and escalated into a full-blown account takeover. This case underscores the importance of advanced email defenses in stopping these evolving threats.
Anatomy of a Sophisticated Multi-Stage Attack
This attack targeted a management-level employee responsible for critical operational functions. Here’s how it unfolded:
1. Initial Phishing Email (10:03 AM):
An email was sent from a compromised vendor—a senior field safety supervisor—designed to exploit the trusted relationship.

Content: The email included a PDF attachment with a link hosted on a legitimate file-sharing service (pdfhosts.io).

Payload: The attachment directed recipients to a fake Microsoft login page to harvest credentials.

Abnormal Indicators Detected:
Low-Context File Sharing Links: The email used a vague link to an external website without explaining its purpose.
Suspicious Link: The link redirected users to a known malicious site.
BCC’d Recipients: A tactic to obscure the email’s reach and avoid detection.
Embedded Links in Attachments: A common technique in phishing campaigns.
2. Account Takeover (10:30 AM):
Within minutes of the victim entering credentials, the attacker gained access to the account and configured it to suppress detection.
Unusual Sign-In Activity: The login originated from a risky VPN and ISP flagged by Abnormal’s ThreatIntelBase.
Geolocation Anomaly: The login originated from a region unrelated to the user or their organization.
Mail Filter Rule Creation: The attacker created a mail filter to automatically delete messages, hiding their activities.
Why Traditional Solutions Fall Short
Traditional email security tools are not equipped to handle these types of attacks. Here’s why:
Inherent Trust in Vendors: Legacy systems often allow emails from trusted domains to bypass scrutiny.
Email Authentication Limits: Attackers use compromised accounts that pass SPF, DKIM, and DMARC checks, appearing legitimate.
Lack of Post-Delivery Visibility: These solutions can’t detect or stop account takeover activities like mail filter creation or unusual login behavior.
Unlike traditional solutions, Abnormal provides visibility and protection across the entire attack lifecycle, combining identity signals with AI-powered behavioral analysis to detect nuanced threats in real time.
How Abnormal Detected the Attack
Even in passive mode during a POV, Abnormal showcased its ability to detect and surface every stage of this attack:
Phishing Email Detection
Abnormal flagged the malicious email using:
Behavioral AI: Anomalous activity in the vendor’s account stood out compared to historical patterns.
URL Analysis: The embedded link was associated with prior phishing activity.
If this attack had occured with Abnormal in active mode, Abnormal would’ve auto-remediated it prior to the end user ever interacting with it. However, due to the failure of the active email security platforms in detecting this attack, it was able to progress to the account takeover stage.
Account Takeover Protection
Once the attacker logged in, Abnormal detected the breach through:
Risky VPN and ISP Usage: These signals were flagged as suspicious based on threat intelligence, aggregated by ThreatIntelBase across all Abnormal customers.
Geolocation and Behavior Anomalies: Abnormal correlated login activity with user history to identify deviations.

Malicious Mail Filters: The system flagged the attacker’s attempt to configure rules that would suppress warning signs.

Proactive Customer Alerting
Abnormal’s team provided a clear, actionable timeline of events to the customer’s security team, empowering them to remediate the threat before any further damage occurred.
Why Abnormal Is Different
Traditional email security solutions like secure email gateways (SEGs), act as an external layer of protection, filtering inbound emails with static rules and basic authentication checks. This approach stops simple attacks but struggles against sophisticated threats that exploit trusted accounts or involve post-delivery activity.
Abnormal takes a fundamentally different approach, embedding directly within your cloud email environment to provide deep visibility and AI-powered protection:
Detecting Initial Threats: Abnormal’s behavioral AI analyzes tens of thousands of identity signals to detect anomalies, such as unusual file-sharing links or deviations in email behavior.
Post-Delivery Defense: By understanding user behavior, Abnormal flags suspicious logins, geolocation anomalies, and malicious configuration changes like attacker-created mail filters.
With real-time insights and end-to-end protection, Abnormal stops threats that SEGs will likely miss, ensuring comprehensive security for your organization.
Moving Past the SEG
This attack demonstrates how easily threat actors can exploit vendor relationships to launch advanced credential phishing campaigns. Protecting your organization requires a modern, AI-powered approach capable of addressing these threats in real time. With Abnormal Security, you gain the visibility, intelligence, and automation needed to stop these attacks before they cause harm.
Discover how by starting your Abnormal demo today.
Get AI Protection for Your Human Interactions
