• Email is sent from a compromised legitimate account, bypassing traditional trust-based email filtering controls
• Message contains a file titled “Purchase Orders (new budget)” designed to appear as a legitimate financial or procurement document
• Email encourages recipients to review or open the attached purchase order document

• Attachment appears as a PDF file but functions as a link redirecting targets to an external credential-harvesting site
• Malicious link is wrapped in a Safe Link wrapper, increasing perceived legitimacy and click-through likelihood
• Phishing infrastructure is hosted on a compromised WordPress domain previously associated with the Tykit phishing kit

• Targets are prompted to enter login credentials to view a protected document
• Credential capture page is presented as a document authentication or secure viewing interface
• Harvested credentials may enable attackers to gain unauthorized access to corporate accounts or services

• Email originates from a compromised legitimate account, increasing sender trust and bypassing trust-based filtering systems
• Credential-harvesting infrastructure is hosted on a compromised WordPress domain, leveraging legitimate website hosting to avoid detection
• Safe Link wrapping obscures the final malicious destination, increasing user confidence and click-through success

For these reasons, traditional security solutions, such as legacy secure email gateways (SEGs), would be less likely to flag this email as a threat.

• Behavioral AI detects anomalies such as never-before-seen sender activity and unusual communication patterns
• Detection of suspicious URL redirection and infrastructure inconsistent with expected procurement or financial workflows
• Natural language processing identifies urgency and financial-themed messaging commonly associated with phishing campaigns

By recognizing established normal behavior and detecting these abnormal indicators, a modern email security solution has the ability to prevent this attack from reaching inboxes.

Please note the exact detection mechanism from Abnormal AI's system might include proprietary techniques and methodologies not disclosed here.