Email attacks that spoof well-known brands can be easy to spot once you know what to watch for. A display name that doesn't look quite right. A domain that's one character off. A link that doesn't match the text it's hiding behind. These are the tells that security training teaches employees to catch—and that legacy tools are built to flag.

But vendor email compromise (VEC) attacks operate on an entirely different premise. Instead of impersonating a trusted organization from the outside, the attacker operates from within it—using a real account, a real domain, and real infrastructure to reach targets who have every reason to trust what they’re seeing.

In a novel campaign recently detected by Abnormal using our newly upgraded behavioral foundation model, Attune 1.0, threat actors did exactly that. They compromised the Microsoft 365 account of a legitimate employee at a Quebec-based agricultural equipment company and used it to send a convincing French-language document-sharing lure to the vendor’s customers and partners. From a traditional authentication and reputation standpoint, all visible signals suggested the email was safe. The attacker was counting on that.

The attack began with an email sent from the account of C.G., listed in her signature as “Directrice adjointe” (Assistant Director). The message was written in professional French and claimed that C.G. had shared a set of “pièces justificatives” (supporting documents) with the recipient on behalf of the company.

To access the documents, recipients were directed to visit a portal at [redacted][.]pages[.]dev. In a subtle but telling detail, the email also included a fallback instruction: if the link failed to open directly, recipients were advised to manually copy and paste the URL into a browser or mobile device.

The email’s signature block reinforced its apparent legitimacy: it included C.G.’s full title, three physical office addresses, a corporate phone number, and logos for multiple agricultural equipment brands, all anchored by the genuine domain in the footer.

The visible “To” field showed the sender’s own address—a common indicator that actual targets were concealed behind BCC, preventing any individual recipient from seeing the broader distribution pattern or identifying the campaign as a mass-send.

Clicking through to the portal or navigating there manually would direct the target to an attacker-controlled credential harvesting page, most likely designed to mimic a Microsoft 365 or vendor document login portal. Entering credentials there would hand them directly to the threat actor.

Authentication confirmed legitimacy. Attune—the behavioral foundation model of the Abnormal platform—evaluated alignment.

Rather than scoring identity, infrastructure, language, and delivery patterns independently, Attune models them within a unified behavioral representation, evaluating how those signals fit against the tenant’s established baseline. Several distinct signals combined to surface this email as high-risk in the context of the organization’s unique behavioral patterns. The pattern emerged across three behavioral themes.

1. Language and Pretext Alignment

The email was written in formal business French and framed as a document-share notification—a pretext frequently used in VEC campaigns targeting French-speaking organizations. Because Attune models multilingual communication patterns, including native-language nuance, it recognized the structure and intent of the request—not just the vocabulary.

That pretext was paired with an explicit instruction to copy and paste a URL into a browser. Vendor document notifications are routine. Manual navigation to a non-vendor domain is not—a pattern strongly associated with credential harvesting campaigns.

Within the context of this vendor relationship, the request was atypical and high impact for the sender identity.

2. Identity and Infrastructure Mismatch

The message originated from a legitimate vendor account and passed all authentication checks. However, the referenced document portal was hosted on an unaffiliated Cloudflare Pages subdomain with no historical association to the vendor.

The gap between a trusted vendor identity and an unaffiliated hosting destination is a strong indicator of a fake portal, particularly when framed as a document access point.

3. Cross-Customer Behavioral Correlation

The sender email and domain pattern appeared in other Abnormal-protected environments during the same time period—not through a static feed or public blocklist, but via independent behavioral detections across multiple tenants.

Because these detections are driven by indicators of behavior (IoBs), activity observed in one environment can help surface the same attack pattern elsewhere. That shared behavioral visibility allows emerging campaigns to be recognized earlier and improves detection accuracy across the broader customer base.

In this case, the recurrence of the same sender and infrastructure across multiple tenants made it unlikely that the message represented an isolated event.

The top indicators of behavior (IoBs) included:

• Multilingual contextual understanding of a French credential-harvesting pretext

• Deviation from historical vendor–customer communication patterns

• Vendor-brand to third-party hosting domain mismatch, rare third-party hosting domain for the user’s environment

• Cross-tenant behavioral correlation

No single indicator revealed compromise. The risk became apparent when those signals were measured jointly against what was normal for the organization. Attune flagged and remediated the message before users could meaningfully engage with it.

Most attacks require the attacker to construct a convincing forgery—a lookalike domain, a cloned email template, a spoofed sender address. In this campaign, the attacker needed none of that. By gaining access to the legitimate Microsoft 365 account of a real employee at a real vendor, they inherited everything that makes a message trustworthy: a genuine sending address, an authentic corporate signature, and a plausible business pretext.

The choice of lure was deliberate. A request to review “supporting documents” falls squarely within the routine B2B communication that employees at the vendor’s customer organizations handle regularly—e.g., invoices, purchase orders, financial reconciliation, etc. It demands action but doesn’t demand scrutiny.

The use of the Cloudflare Pages hosting platform for the credential portal is also notable. The attacker created a subdomain that visually echoes the vendor’s real brand, lending additional surface credibility to the link destination.

The copy-paste URL instruction adds another layer of sophistication. This instruction, framed as a helpful workaround, served a specific technical purpose. Many enterprise email security tools rewrite links in inbound messages, routing them through a proxy or sandboxing environment before the user reaches the destination. By explicitly instructing recipients to copy and paste the URL directly into a browser, the attacker created a social engineering bypass for one of the most common technical controls in modern email security stacks.

Finally, the French-language content and the Canadian postal addresses in the signature point to deliberate targeting of French-speaking customers and distributors of the vendor.

Header analysis confirmed that SPF, DKIM, and DMARC all passed for the sending domain. The message was routed entirely through legitimate Microsoft 365 infrastructure belonging to the vendor’s own tenant. Microsoft’s composite authentication verdict returned “pass.” From an infrastructure standpoint, this email was indistinguishable from any authentic message C.G. might have sent on any other day.

The malicious link introduced a new domain, but vendor communications regularly include links to external systems, client portals, and third-party platforms. Cloudflare Pages is a widely utilized and generally trusted static site hosting service, which means security tools that evaluate domain reputation are unlikely to flag it outright. Without behavioral context, the presence of an external link in a document-sharing notification is not inherently suspicious.

The copy-paste instruction compounds the detection challenge further, removing the payload from the security tool's line of sight entirely.

The result is an attack that is well‑positioned to clear the checkpoints that legacy secure email gateways (SEGs) are designed to enforce—not by breaking those controls, but by rendering them irrelevant. Authentication validates the sender. Reputation scoring trusts the domain. No known signatures match. The message reaches the inbox looking exactly like what it claims to be.

Vendor email compromise relies on inheriting trust—and then abusing it. As attackers increasingly operate from within legitimate accounts, artifact-based validation becomes insufficient. Authenticity confirms that a message is real. It does not confirm that it is appropriate.

The durable signal lies in behavioral alignment. Because Abnormal builds a comprehensive understanding of how each vendor communicates—what they send, who they send it to, what platforms they use, and how their messages are structured—Attune can identify the moment a trusted relationship is weaponized, even when every individual component of the email appears legitimate.

Detection strategies that make deterministic judgments based on single IOCs are misaligned with an environment in which valid infrastructure can be repurposed. Modeling the relationships between signals—across identity, communication history, delivery behavior, and cross-customer intelligence—is no longer an enhancement to email security. It is the foundation.

See how Abnormal uses behavioral AI to detect vendor email compromise and other advanced email attacks that evade traditional authentication checks.