reported lost due to phishing attacks
of all cybercrime losses are due to phishing
of all advanced threats were credential phishing attacks
Recognizing Credential Phishing
Detecting a Phishing Attack
This email passed traditional threat intel and reputation checks, but is suspicious. Upon closer examination, we see that:
It appears to be sent by the internal IT system, but the display name does not align with the email address
It includes a request to click a link and the tone suggests urgency
After clicking the link, the recipient will be asked to enter their login credentials to what appears to be a legitimate website
Despite the link itself showcasing no traditional indicators of compromise, Abnormal can determine that this email is a credential phishing attempt.
Stop Phishing Scams That Bypass Secure Email Gateways
Authenticate Sender Information
This message from Internal IT Support asks Kevin to reenter his password to continue accessing his email account.
Impersonating a known entity, this message conveys urgency and encourages the victim to click the link where they will need to enter their credentials to continue using their email account.
While it appears to Kevin to come from a trusted source, inspection of the header information shows that it does not come from the internal domain and instead has an unusual username—something unlikely to be used by an actual IT department.
Determine Urgency and Tone
Review of the email content shows that it encourages urgency by indicating that Kevin will be locked out of his account if he doesn’t comply immediately.
Abnormal goes beyond detecting traditional indicators of compromise such as reply-to pivots and malicious IPs, and reviews the language within the email itself.
Through natural language processing, Abnormal can determine that this email conveys a suspicious tone with increased urgency, a common tactic with credential phishing.
Inspect Links for Malicious Behavior
The link itself appears to be hosted on the dunder-mifflin.com domain, but further inspection shows that this is a redirect and Kevin will actually be taken to a credential phishing site.
Abnormal scans all attachments and linked URLs for suspicious content and/or behavior. In this case, we understand that the link requires a password to be entered. Combined with the other indicators of attack, Abnormal determines that this link is malicious and could lead to credential theft.
Protect the Unprotected, Especially After Compromise
The attacker sends the email to Kevin's personal email as well. Kevin believes that the email is valid, clicks on the link, and enters his credentials. His account has now become compromised.
Even though the email was removed from Kevin’s inbox within milliseconds, the attackers sent the same message to his personal email. Kevin clicked on the link and entered his credentials.
His account is now compromised, but Abnormal understands this and immediately locks him out—requiring a full password reset. Attackers no longer have access to legitimate credentials.
Auto-Remediate Similar Attacks for Other End Users
Because the attackers believe they were successful in tricking Kevin, they send additional email attacks to other Dunder Mifflin employees.
Abnormal knows that these emails are malicious and automatically removes them from inboxes, ensuring that other employees are not tricked by the same credential phishing campaign.
The Abnormal detection engine automatically learns from behavior and traits, and then detects, logs and remediates all email-based threats.