The Art of Social Engineering: The Impressive, The Clever, The Intricate

Phishing is so prevalent in the Asia-Pacific region that we've all learned to live with it.

The number of phishing emails to Australians surged by 30% last year, outpacing all other types of email attacks. Business Email Compromise (BEC), which often starts with phishing, also rose by 6%. The financial impact is significant: average losses now exceed USD $137,000 per single, successful attack.

Australia is not alone in this. We've seen triple- and quadruple-digit increases in just about every type of phishing attack. From clone phishing to QR code phishing, file-sharing to credential phishing...volumes are growing faster than security awareness training can keep up with.

It’s not that employees are suddenly more easily duped. Attackers have evolved their tactics, stripping away the bad grammar, fuzzy logos, and suspicious URLs that previously signalled an attack. They’re also leveraging legitimate platforms like Adobe and Figma to bypass secure email gateways (SEGs). That means you can’t necessarily trust an email because it uses a real company’s sending domain or URL; those days are gone.

To put this in context, let's look at some flavours of the month in the phishing world. These examples show how advanced, much harder to detect, and dangerous today's attacks have become.

Let’s look at how these phishing tactics play out in practice, beginning with an invoice fraud attack that appears entirely legitimate at first glance.

Impersonating a Law Firm to Commit Invoice Fraud

In this attack, threat actors targeted an accounts payable department by impersonating a trusted global law firm. The victim received a highly convincing “pay this outstanding invoice” email, supposedly from the law firm’s debt recovery team. The sophistication lay in a lengthy back-and-forth email thread, appearing to show approval from the company’s accounts payable manager and that a phone call had taken place.

The problem here is that the middle portion of the conversation was fake. No real conversation actually occurred, and David never approved the invoice for payment. The lookalike domain (note the extra “s” and “law” in the firm’s name) was registered days before the attack, and the email originated from Italy, a location unfamiliar to the recipient.

As you can see below, the PDF details also indicate that the invoice was created in Canva, a tool normally used for designing party invites, posters, and flyers.

Why It Works

Employees are trained to spot red flags in emails, but every detail here is designed to bypass those sanity checks. The lookalike domain and branding fool the average user into thinking the email is legitimate. Often, the battle is lost due to our inherent trust in familiar names.

Even if someone had noticed the fake domain, the email's content and fraudulent invoice are believable. Our usual credibility checks—looking for inconsistencies in tone, language, grammar, content, formatting—fail when there’s no ambiguity to raise suspicion. The correct names, terms, and approval processes were in place. Everything seemed to check out.

Only a closer look at the “reply-to” address revealed a mismatch, but few employees have time for that level of scrutiny. Attackers exploit this by using psychological manipulation tactics, such as urgency and appeal to authority, to pressure recipients into acting quickly, without critical thought. The message here is clear: “This invoice needs paying immediately, a law firm is chasing it, and my boss expects it done.”

Exploiting Adobe to Deliver Phishing Links

What if an attacker could make a well-known company distribute their phishing email? That's exactly what happens when threat actors abuse Adobe’s document-signing features to deliver a phishing URL and steal Microsoft account credentials. All via genuine adobe.com and adobesign.com domains.

These attacks employ several tactics to evade detection and trick targets. First, attackers sign up for legitimate Adobe accounts and use Acrobat Sign to generate emails that appear to come directly from Adobe, complete with a “Review & Sign” link. The sender address shows as adobesign@adobesign.com, a real Adobe address. When the victim clicks “Review and Sign,” they land on a page hosted on another Adobe domain. There’s nothing to arouse suspicion.

Cyber criminals then embed text and a link in the document, encouraging the victim to review the document’s content before signing. Clicking this link redirects to a fake Microsoft login page, often with a reCAPTCHA, hosted on a proxied Microsoft domain. Once the victim enters their credentials, the attacker steals the session cookie and gains full Microsoft access. The victim remains logged in, blissfully unaware that their Microsoft account has been compromised.

Why It Works

There are no suspicious senders, no odd URLs, no obvious giveaways. The message is sent from a legitimate Adobe address, and the document is hosted on Adobe’s servers, so it bypasses most security protections. Automated tools can’t easily crawl the link to discover its true destination. In this example, the PDF document itself contains a fake “Review & Sign” button, that links to a Russian domain, which hosts the threat actor-controlled proxied login to Microsoft.

There are no obvious signals to alert an employee’s risk radar, either. Employees are used to signing into Microsoft accounts multiple times a day, so the workflow seems normal. Chances are high that an attack like this will slip past every security layer and fool the human at the keyboard, too.

When you see innovative phishing attacks, it’s natural to wonder where they’re coming from. How can so many well-planned, well-crafted, security-bypassing attacks appear at scale, mimicking legitimate login processes and stealing session cookies?

The answer is a one-two punch: big income combined with clever tech.

Phishing-As-A-Service: The Cyber Crime Subscription Model

Phishing-as-a-Service (PhaaS) is a low-cost, cloud-based subscription model where cyber criminals buy everything they need to launch serial phishing attacks. The service includes fake login panels, email templates, attack infrastructure, step-by-step training videos, and even customer support. Some even offer dashboards for tracking campaign success and stolen credential storage.

It’s dangerous because, in the past, launching phishing campaigns demanded a high level of technical knowledge. Now, PhaaS handles the complex work, making it quick and easy for even low-skilled criminals to run these attacks.

Multiple PhaaS platforms compete for criminal business and continuously innovate to outdo each other. For instance, services might include features that detect automated security scanners and redirect them to a harmless site. Or a package might offer dynamic URL generation, where each victim receives a unique phishing URL. Traditional email security is wholly ineffective against short-lived and constantly rotating URLs that don't appear on blacklists.

PhaaS platforms are cheaper than you think. Some subscriptions cost just a few hundred dollars a month for access—check out the table in this article for an eye-opening breakdown of services and pricing.

Can you spot the difference?

In this example, we see a genuine bank login page beside a PhaaS-generated fake from the LabHost platform. They’re crafted to look identical. The only giveaway is the URL—the page on the left is a local HTML file delivered as an email attachment; the page on the right is the real bank login with the correct URL.

The fake panel is highly advanced, capturing not just credentials but also the SMS authentication token. Both the browser and the attacker receive session cookies, enabling the attacker to access the bank account and steal funds within minutes. This is how sophisticated these attacks have become.

LabHost and its 70+ bank phishing panels were taken down in April 2024 following a major law enforcement operation. But it would be foolish to assume the threat has been eliminated. We’re dealing with an adaptive PhaaS ecosystem that quickly regenerates; for every disrupted service, another one fills the gap.

Generative AI: Phishing at Speed and Scale

Phishing emails were once easy to spot thanks to poor grammar, clunky phrasing, and cookie-cutter content. Generative AI fixes those mistakes and weaponises AI to generate convincing content, fast. Most employees have a digital footprint that makes it easy to profile them. With just a few prompts, a threat actor can instruct an AI model to scrape public data and create tonally accurate, hyper-personalised emails that are relevant enough to deceive a specific employee.

The PhaaS plus GenAI combination means actors can easily script their attacks. PhaaS provides the technical tools—scripts for exploiting vulnerabilities, automating phishing campaigns, deploying malware, or conducting reconnaissance—that are all obfuscated and encoded to evade detection.

GenAI then takes this a step further by swapping out names, roles, bank details, and references to previous email exchanges, all so realistic that each victim believes they’re talking to a real person.

If PhaaS removes technical barriers, GenAI removes time barriers to phishing. A campaign that once took weeks to research and personalise now takes seconds. That means criminals can churn out thousands of emails a day.

While systemic defences against phishing—from secure email gateways (SEGs) to multi-factor authentication and security awareness training—offer valuable protection, they aren’t enough. These measures depend on recognising known threats. They can’t stop emails sent from legitimate providers or AI-assisted social engineering that’s convincing enough to trick almost anyone. Humans remain the weakest link; when emails like the examples above hit an inbox, it’s already too late.

Abnormal flips this model. Instead of chasing the ‘known bad’, the platform builds a profile of the ‘known good’: who normally contacts your organisation, what do they discuss, how do they write, where do they come from? Working from this baseline, Abnormal applies behavioural AI to detect even subtle anomalies. Lookalike domains, suspicious URLs, unusual senders, foreign logins, different browsers, or odd timing are all signals that, when combined, paint a very clear picture of a threat. Malicious emails are remediated in seconds, well before users can get to them.

Behavioural AI isn’t fooled by legitimate domain hijacking or novel obfuscation, because it doesn't need to follow links or decode QR codes to spot a threat. The email itself tells the story. Analysing thousands of signals in real-time against your organisation’s baseline, Abnormal can detect:

• Malicious intent in emails delivering phishing or malware, even for day-zero attacks with no existing threat intelligence.

• Social engineering like invoice fraud, payroll fraud, and reconnaissance.

• Account compromise, when attackers bypass MFA or find ways around passkeys.

For real-world applications, this article walks you through examples of how behavioural AI detects and stops phishing and account compromise before they reach users.

The bottom line is we’re just at the cusp of what hackers can do with tools built for large-scale attacks. Rather than play catch-up, organisations need to shift to proactive, adaptive security that keeps pace with the changing threat landscape. Behavioural AI offers detection capabilities that are magnitudes greater than traditional defences. Can you afford to wait until the next wave of attacks hits before making the switch?

Learn more about how Abnormal proactively defends your organisation by scheduling a demo today!