GF 01 720x478 2x

Stop Credential Phishing and Business Email Compromise

Prevent your end users from falling victim to socially-engineered attacks.


reported lost due to business email compromise

FBI Internet Crime Report, 2020


of all cybercrime losses are due to BEC and phishing

FBI Internet Crime Report, 2020


of all advanced threats were credential phishing attacks

Abnormal Security, Q3 2021

Recognizing Credential Phishing and BEC Attacks

Unlike traditional email scams that focus on sending as many attacks as possible, phishing relies on research and social engineering to trick unsuspecting people into sending money, leaking confidential information, or providing access to accounts. In these attacks, the threat actor:


Conducts research on the target, their responsibilities, and the overall organization.


Sends a targeted email, often impersonating a known and trusted individual.


Engages with the victim with an increasing sense of urgency.


Convinces victim to send funds, provide access to information, or submit credentials.

05 PBEC 01 email Phishing BEC Email analysis 2x

Detecting a Phishing Attack

This email passed traditional threat intel and reputation checks, but is suspicious. Upon closer examination, we see that:

  • It appears to be sent by the internal IT system, but the display name does not align with the email address

  • It includes a request to click a link and the tone suggests urgency

  • After clicking the link, the recipient will be asked to enter their login credentials to what appears to be a legitimate website

Despite the link itself showcasing no traditional indicators of compromise, Abnormal can determine that this email is a credential phishing attempt.

Stop Phishing Scams That Bypass Secure Email Gateways

Phishing BEC 01 2x v2

Authenticate Sender Information

This message from Internal IT Support asks Kevin to reenter his password to continue accessing his email account.

Impersonating a known entity, this message conveys urgency and encourages the victim to click the link where they will need to enter their credentials to continue using their email account.

While it appears to Kevin to come from a trusted source, inspection of the header information shows that it does not come from the internal domain and instead has an unusual username—something unlikely to be used by an actual IT department.

Phishing BEC 02 2x v2

Determine Urgency and Tone

Review of the email content shows that it encourages urgency by indicating that Kevin will be locked out of his account if he doesn’t comply immediately.

Abnormal goes beyond detecting traditional indicators of compromise such as reply-to pivots and malicious IPs, and reviews the language within the email itself.

Through natural language processing, Abnormal can determine that this email conveys a suspicious tone with increased urgency, a common tactic with credential phishing.

Phishing BEC 03 2x v2

Inspect Links for Malicious Behavior

The link itself appears to be hosted on the domain, but further inspection shows that this is a redirect and Kevin will actually be taken to a credential phishing site.

Abnormal scans all attachments and linked URLs for suspicious content and/or behavior. In this case, we understand that the link requires a password to be entered. Combined with the other indicators of attack, Abnormal determines that this link is malicious and could lead to credential theft.

Phishing BEC 04 2x v2

Protect the Unprotected, Especially After Compromise

The attacker sends the email to Kevin's personal email as well. Kevin believes that the email is valid, clicks on the link, and enters his credentials. His account has now become compromised.

Even though the email was removed from Kevin’s inbox within milliseconds, the attackers sent the same message to his personal email. Kevin clicked on the link and entered his credentials.

His account is now compromised, but Abnormal understands this and immediately locks him out—requiring a full password reset. Attackers no longer have access to legitimate credentials.

Phishing BEC 05 2x v2

Auto-Remediate Similar Attacks for Other End Users

Because the attackers believe they were successful in tricking Kevin, they send additional email attacks to other Dunder Mifflin employees.

Abnormal knows that these emails are malicious and automatically removes them from inboxes, ensuring that other employees are not tricked by the same credential phishing campaign.

The Abnormal detection engine automatically learns from behavior and traits, and then detects, logs and remediates all email-based threats.

Trusted by Global Enterprises


See an Abnormal Product Demo

Related Resources

Whitepaper cover 1
Business email compromise (BEC) is the most significant cybersecurity threat to enterprise organizations, with $1.8 billion lost in 2020 alone. This type of email attack occurs when a cybercriminal uses social engineering to impersonate a trusted contact—typically an executive, coworker, vendor, or partner.
Read More
Webinar cover 1
Traditional cybersecurity infrastructure can’t stop new and emerging threats, particularly in the email channel, and cybercriminals are constantly changing their methods to stay one step ahead. Hear how Theresa Payton, first female White House CIO, thinks about these attacks.
Read More
B Gartner Highlights 1
The Gartner Market Guide for Email Security explains what integrated cloud email security (ICES) solutions are and why they’re essential for modern enterprises. Download a copy now to learn why enterprises are moving away from the SEG.
Read More
Webinar microsoft cover
The emergence and evolution of advanced socially-engineered cyber attacks, including business email compromise, supply chain fraud, and ransomware, has organizations rethinking their security strategies and tech stacks.
Read More
Blog white bridge
We’ve seen an incredible uptick in collaboration software impersonations in the past month as the COVID-19 pandemic has forced people to work at home. Most of these attacks are associated with platforms like Google Workspace and Office 365, which can be...
Read More
Video 1
With Abnormal, security teams can now eliminate redundant email gateways and enhance Microsoft's built-in security capabilities. Once integrated via one-click API, Abnormal automatically profiles your VIPs and employees, their behavior, relationships, communication patterns...
Read More
Microsoft whitepaper cover
In today’s cloud-first approach to managing corporate infrastructure and running applications, more than 56% of organizations globally now use Microsoft 365. See how Abnormal can help you augment your infrastructure to block the most dangerous attacks.
Read More