Stop Credential Phishing

Prevent your end users from falling victim to socially-engineered attacks.

Get Our CISO Guide to Phishing
Credential Phishing header V2


reported lost due to phishing attacks

FBI Internet Crime Report, 2021


of all cybercrime losses are due to phishing

FBI Internet Crime Report, 2021


of all advanced threats were credential phishing attacks

Abnormal Security, Q3 2021

Recognizing Credential Phishing

Unlike traditional email scams that focus on sending as many attacks as possible, phishing relies on research and social engineering to trick unsuspecting people into sending money, leaking confidential information, or providing access to accounts. In these attacks, the threat actor:


Conducts research on the target, their responsibilities, and the overall organization.


Sends a targeted email, often impersonating a known and trusted individual.


Engages with the victim with an increasing sense of urgency.


Convinces victim to send funds, provide access to information, or submit credentials.

abnormal detecting a phishing attack

Detecting a Phishing Attack

This email passed traditional threat intel and reputation checks, but is suspicious. Upon closer examination, we see that:

  • It appears to be sent by the internal IT system, but the display name does not align with the email address

  • It includes a request to click a link and the tone suggests urgency

  • After clicking the link, the recipient will be asked to enter their login credentials to what appears to be a legitimate website

Despite the link itself showcasing no traditional indicators of compromise, Abnormal can determine that this email is a credential phishing attempt.


Stop Phishing Scams That Bypass Secure Email Gateways

sample phishing email requesting credentials

Authenticate Sender Information

This message from Internal IT Support asks Kevin to reenter his password to continue accessing his email account.

Impersonating a known entity, this message conveys urgency and encourages the victim to click the link where they will need to enter their credentials to continue using their email account.

While it appears to Kevin to come from a trusted source, inspection of the header information shows that it does not come from the internal domain and instead has an unusual username—something unlikely to be used by an actual IT department.

sample phishing email using urgent tone

Determine Urgency and Tone

Review of the email content shows that it encourages urgency by indicating that Kevin will be locked out of his account if he doesn’t comply immediately.

Abnormal goes beyond detecting traditional indicators of compromise such as reply-to pivots and malicious IPs, and reviews the language within the email itself.

Through natural language processing, Abnormal can determine that this email conveys a suspicious tone with increased urgency, a common tactic with credential phishing.

sample phishing email with suspicious link

Inspect Links for Malicious Behavior

The link itself appears to be hosted on the domain, but further inspection shows that this is a redirect and Kevin will actually be taken to a credential phishing site.

Abnormal scans all attachments and linked URLs for suspicious content and/or behavior. In this case, we understand that the link requires a password to be entered. Combined with the other indicators of attack, Abnormal determines that this link is malicious and could lead to credential theft.

abnormal security locking a compromised account

Protect the Unprotected, Especially After Compromise

The attacker sends the email to Kevin's personal email as well. Kevin believes that the email is valid, clicks on the link, and enters his credentials. His account has now become compromised.

Even though the email was removed from Kevin’s inbox within milliseconds, the attackers sent the same message to his personal email. Kevin clicked on the link and entered his credentials.

His account is now compromised, but Abnormal understands this and immediately locks him out—requiring a full password reset. Attackers no longer have access to legitimate credentials.

abnormal auto remediating similar phishing attacks

Auto-Remediate Similar Attacks for Other End Users

Because the attackers believe they were successful in tricking Kevin, they send additional email attacks to other Dunder Mifflin employees.

Abnormal knows that these emails are malicious and automatically removes them from inboxes, ensuring that other employees are not tricked by the same credential phishing campaign.

The Abnormal detection engine automatically learns from behavior and traits, and then detects, logs and remediates all email-based threats.


Credential Phishing FAQ



Trusted by Global Enterprises


See the Abnormal Solution to the Email Security Problem

Protect your organization from the full spectrum of email attacks with Abnormal.

Integrates Insights Reporting 09 08 22

Related Resources

Resource 02 CISO
Business email compromise (BEC) is the most significant cybersecurity threat to enterprise organizations, with $2.4 billion lost in 2021 alone. This type of email attack occurs when a cybercriminal uses social engineering to impersonate a trusted contact—typically an executive, coworker, vendor, or partner.
Download Now
B 02 14 23 Gartner report 2024
Abnormal’s fundamentally different approach to cloud email security provides the best protection against existing and emerging attack techniques.
Read More
Everise case study cover
By mid-2021, Everise had more than 11,000 employees to meet new demand for outsourced services. But the shift to remote work brought new email security risks. “Our people are good at what they do, but they’re not email security specialists, and attackers know that."
Read More
Fireside chat katz cover
Legitimate email communications often contain links and attachments, and employees need to click on those links and attachments to do their jobs. Unfortunately, securing the enterprise often means stopping employees from doing so in an effort to stop bad actors from gaining access to systems or stealing money.
Watch Now
Webinar microsoft cover
The emergence and evolution of advanced socially-engineered cyber attacks, including business email compromise, supply chain fraud, and ransomware, has organizations rethinking their security strategies and tech stacks.
Watch Now
Blog white bridge
We’ve seen an incredible uptick in collaboration software impersonations in the past month as the COVID-19 pandemic has forced people to work at home. Most of these attacks are associated with platforms like Google Workspace and Office 365, which can be...
Read More
B 10 19 22 Product Demo Inbound
With Abnormal, security teams can now eliminate redundant email gateways and enhance Microsoft's built-in security capabilities. Once integrated via one-click API, Abnormal automatically profiles your VIPs and employees, their behavior, relationships, communication patterns...
Read More
Microsoft whitepaper cover
In today’s cloud-first approach to managing corporate infrastructure and running applications, more than 56% of organizations globally now use Microsoft 365. See how Abnormal can help you augment your infrastructure to block the most dangerous attacks.
Download Now