chat
expand_more

When SEGs Fail: Attackers Exploit Vendor Relationships for Credential Phishing

Discover how attackers exploit vendor relationships for credential phishing and how Abnormal Security’s AI-driven defense stops these attacks in real time, preventing account takeovers and minimizing risk.
January 29, 2025

In today’s interconnected supply chains, trust is everything—but attackers are finding ways to exploit it. By leveraging compromised vendor accounts, threat actors launch sophisticated phishing campaigns that bypass traditional email defenses and take control of key user accounts.

During a recent proof of value (POV), Abnormal Security detected a multi-stage credential phishing attack that unfolded in under 30 minutes. The attack began with a phishing email from a trusted vendor and escalated into a full-blown account takeover. This case underscores the importance of advanced email defenses in stopping these evolving threats.

Anatomy of a Sophisticated Multi-Stage Attack

This attack targeted a management-level employee responsible for critical operational functions. Here’s how it unfolded:

1. Initial Phishing Email (10:03 AM):

An email was sent from a compromised vendor—a senior field safety supervisor—designed to exploit the trusted relationship.

Missed Attacks VEC 1

Content: The email included a PDF attachment with a link hosted on a legitimate file-sharing service (pdfhosts.io).

Missed Attacks VEC 2

Payload: The attachment directed recipients to a fake Microsoft login page to harvest credentials.

Missed Attacks VEC 3

Abnormal Indicators Detected:

  • Low-Context File Sharing Links: The email used a vague link to an external website without explaining its purpose.

  • Suspicious Link: The link redirected users to a known malicious site.

  • BCC’d Recipients: A tactic to obscure the email’s reach and avoid detection.

  • Embedded Links in Attachments: A common technique in phishing campaigns.

2. Account Takeover (10:30 AM):

Within minutes of the victim entering credentials, the attacker gained access to the account and configured it to suppress detection.

  • Unusual Sign-In Activity: The login originated from a risky VPN and ISP flagged by Abnormal’s ThreatIntelBase.

  • Geolocation Anomaly: The login originated from a region unrelated to the user or their organization.

  • Mail Filter Rule Creation: The attacker created a mail filter to automatically delete messages, hiding their activities.

Why Traditional Solutions Fall Short

Traditional email security tools are not equipped to handle these types of attacks. Here’s why:

  • Inherent Trust in Vendors: Legacy systems often allow emails from trusted domains to bypass scrutiny.

  • Email Authentication Limits: Attackers use compromised accounts that pass SPF, DKIM, and DMARC checks, appearing legitimate.

  • Lack of Post-Delivery Visibility: These solutions can’t detect or stop account takeover activities like mail filter creation or unusual login behavior.

Unlike traditional solutions, Abnormal provides visibility and protection across the entire attack lifecycle, combining identity signals with AI-powered behavioral analysis to detect nuanced threats in real time.

How Abnormal Detected the Attack

Even in passive mode during a POV, Abnormal showcased its ability to detect and surface every stage of this attack:

Phishing Email Detection

Abnormal flagged the malicious email using:

  • Behavioral AI: Anomalous activity in the vendor’s account stood out compared to historical patterns.

  • URL Analysis: The embedded link was associated with prior phishing activity.

If this attack had occured with Abnormal in active mode, Abnormal would’ve auto-remediated it prior to the end user ever interacting with it. However, due to the failure of the active email security platforms in detecting this attack, it was able to progress to the account takeover stage.

Account Takeover Protection

Once the attacker logged in, Abnormal detected the breach through:

  • Risky VPN and ISP Usage: These signals were flagged as suspicious based on threat intelligence, aggregated by ThreatIntelBase across all Abnormal customers.

  • Geolocation and Behavior Anomalies: Abnormal correlated login activity with user history to identify deviations.

Missed Attacks VEC 4

Malicious Mail Filters: The system flagged the attacker’s attempt to configure rules that would suppress warning signs.

Missed Attacks VEC 5

Proactive Customer Alerting

Abnormal’s team provided a clear, actionable timeline of events to the customer’s security team, empowering them to remediate the threat before any further damage occurred.

Why Abnormal Is Different

Traditional email security solutions like secure email gateways (SEGs), act as an external layer of protection, filtering inbound emails with static rules and basic authentication checks. This approach stops simple attacks but struggles against sophisticated threats that exploit trusted accounts or involve post-delivery activity.

Abnormal takes a fundamentally different approach, embedding directly within your cloud email environment to provide deep visibility and AI-powered protection:

  • Detecting Initial Threats: Abnormal’s behavioral AI analyzes tens of thousands of identity signals to detect anomalies, such as unusual file-sharing links or deviations in email behavior.

  • Post-Delivery Defense: By understanding user behavior, Abnormal flags suspicious logins, geolocation anomalies, and malicious configuration changes like attacker-created mail filters.

With real-time insights and end-to-end protection, Abnormal stops threats that SEGs will likely miss, ensuring comprehensive security for your organization.

Moving Past the SEG

This attack demonstrates how easily threat actors can exploit vendor relationships to launch advanced credential phishing campaigns. Protecting your organization requires a modern, AI-powered approach capable of addressing these threats in real time. With Abnormal Security, you gain the visibility, intelligence, and automation needed to stop these attacks before they cause harm.

Discover how by starting your Abnormal demo today.

Schedule a Demo
When SEGs Fail: Attackers Exploit Vendor Relationships for Credential Phishing

See Abnormal in Action

Get a Demo

Get the Latest Email Security Insights

Subscribe to our newsletter to receive updates on the latest attacks and new trends in the email threat landscape.

Get AI Protection for Your Human Interactions

Protect your organization from socially-engineered email attacks that target human behavior.
Request a Demo
Request a Demo

Related Posts

B Misclassification Adaptation Blog
Learn how Abnormal Security minimizes false positives and false negatives with a multi-layered approach to cyberattack detection and email security.
Read More
B Docusign Phish
Threat actors are exploiting Docusign to bypass traditional email security, but Abnormal Security’s AI-powered platform stops these attacks by detecting behavioral anomalies in real time.
Read More
B Phishing Loop Bypass MFA Compromise Accounts Blog
A new phishing campaign targeting Microsoft ADFS bypasses MFA with social engineering and technical deception. Learn how attackers take over accounts—and how to stop them.
Read More
B MKT579z Images for Proofpoint Customer Story Blog 12 New York Presbyterian Hospital
Discover how Abnormal's AI helped a leading hospital system by detecting 2,181 malicious messages that Proofpoint missed.
Read More
B ATO Arms Race
Discover how phishing-as-a-service (PhaaS) is transforming phishing attacks with cloud-based platforms, multi-factor authentication bypass, and session hijacking.
Read More
Blog MKT716p Open Graph Images for Gartner Blog
Explore the evolution of email security and discover insights from Gartner's Magic Quadrant on emerging threats and advanced defense strategies for organizations.
Read More