• Email is sent from a compromised legitimate account, increasing trust and bypassing traditional trust-based filtering mechanisms
• Message prompts recipients to review an urgent “2025 Year-End Bonus Review” HR document
• Email appears as a document review or e-signature notification related to HR processes

• Email contains a link wrapped in a Google Maps redirect, obscuring the final destination and increasing user trust
• Link appears to lead to a document review but instead redirects to attacker-controlled phishing infrastructure
• Malicious infrastructure is hosted on an Amazon AWS bucket, leveraging legitimate hosting services to avoid detection

• Redirect leads to a credential-harvesting page disguised as a Microsoft authentication portal
• Page prompts victims to enter Microsoft login credentials under the pretense of reviewing HR documentation
• Harvested credentials can enable attackers to gain unauthorized access to corporate Microsoft services

This email attack bypasses traditional security solutions for several reasons, including:

• Email originates from a compromised legitimate account, increasing sender trust and bypassing traditional trust-based filtering systems
• Phishing infrastructure is hosted on Amazon AWS, leveraging legitimate cloud hosting to evade reputation-based blocking controls
• Malicious link is concealed through Google Maps URL redirection, masking the final phishing destination

This attack was detected using AI and ML by analyzing various factors, including:

• Behavioral AI detects anomalies such as never-before-seen senders and abnormal communication patterns compared to expected sender behavior
• Detection of suspicious URLs and redirection behavior inconsistent with legitimate HR communications
• Natural language processing identifies urgency and financial-themed messaging patterns associated with social engineering attacks

By recognizing established normal behavior and detecting these abnormal indicators, a modern email security solution has the ability to prevent this attack from reaching inboxes.

Please note the exact detection mechanism from Abnormal AI’s system might include proprietary techniques and methodologies not disclosed here.