GF 01 720x478 2x

Stop Credential Phishing

Prevent your end users from falling victim to socially-engineered attacks.


reported lost due to phishing attacks

FBI Internet Crime Report, 2021


of all cybercrime losses are due to phishing

FBI Internet Crime Report, 2021


of all advanced threats were credential phishing attacks

Abnormal Security, Q3 2021

Recognizing Credential Phishing

Unlike traditional email scams that focus on sending as many attacks as possible, phishing relies on research and social engineering to trick unsuspecting people into sending money, leaking confidential information, or providing access to accounts. In these attacks, the threat actor:


Conducts research on the target, their responsibilities, and the overall organization.


Sends a targeted email, often impersonating a known and trusted individual.


Engages with the victim with an increasing sense of urgency.


Convinces victim to send funds, provide access to information, or submit credentials.

abnormal detecting a phishing attack

Detecting a Phishing Attack

This email passed traditional threat intel and reputation checks, but is suspicious. Upon closer examination, we see that:

  • It appears to be sent by the internal IT system, but the display name does not align with the email address

  • It includes a request to click a link and the tone suggests urgency

  • After clicking the link, the recipient will be asked to enter their login credentials to what appears to be a legitimate website

Despite the link itself showcasing no traditional indicators of compromise, Abnormal can determine that this email is a credential phishing attempt.

Stop Phishing Scams That Bypass Secure Email Gateways

sample phishing email requesting credentials

Authenticate Sender Information

This message from Internal IT Support asks Kevin to reenter his password to continue accessing his email account.

Impersonating a known entity, this message conveys urgency and encourages the victim to click the link where they will need to enter their credentials to continue using their email account.

While it appears to Kevin to come from a trusted source, inspection of the header information shows that it does not come from the internal domain and instead has an unusual username—something unlikely to be used by an actual IT department.

sample phishing email using urgent tone

Determine Urgency and Tone

Review of the email content shows that it encourages urgency by indicating that Kevin will be locked out of his account if he doesn’t comply immediately.

Abnormal goes beyond detecting traditional indicators of compromise such as reply-to pivots and malicious IPs, and reviews the language within the email itself.

Through natural language processing, Abnormal can determine that this email conveys a suspicious tone with increased urgency, a common tactic with credential phishing.

sample phishing email with suspicious link

Inspect Links for Malicious Behavior

The link itself appears to be hosted on the domain, but further inspection shows that this is a redirect and Kevin will actually be taken to a credential phishing site.

Abnormal scans all attachments and linked URLs for suspicious content and/or behavior. In this case, we understand that the link requires a password to be entered. Combined with the other indicators of attack, Abnormal determines that this link is malicious and could lead to credential theft.

abnormal security locking a compromised account

Protect the Unprotected, Especially After Compromise

The attacker sends the email to Kevin's personal email as well. Kevin believes that the email is valid, clicks on the link, and enters his credentials. His account has now become compromised.

Even though the email was removed from Kevin’s inbox within milliseconds, the attackers sent the same message to his personal email. Kevin clicked on the link and entered his credentials.

His account is now compromised, but Abnormal understands this and immediately locks him out—requiring a full password reset. Attackers no longer have access to legitimate credentials.

abnormal auto remediating similar phishing attacks

Auto-Remediate Similar Attacks for Other End Users

Because the attackers believe they were successful in tricking Kevin, they send additional email attacks to other Dunder Mifflin employees.

Abnormal knows that these emails are malicious and automatically removes them from inboxes, ensuring that other employees are not tricked by the same credential phishing campaign.

The Abnormal detection engine automatically learns from behavior and traits, and then detects, logs and remediates all email-based threats.

Trusted by Global Enterprises


Prevent the Attacks That Matter Most

Related Resources