Skip to main content
Abnormal Intelligence

Credential Phishing

Fake Year-End Bonus Review Phishing Harvesting Microsoft Credentials

A compromised account sends a fake year-end bonus review notification that redirects targets to a Microsoft credential harvesting page.

January 21, 2026

Attack Overview

Step 1: Fake HR Bonus Review Notification Sent from Compromised Account

25 16 Jan 2026 This Years Bonus Is Your Credentials 1
  • Email is sent from a compromised legitimate account, increasing trust and bypassing traditional trust-based filtering mechanisms
  • Message prompts recipients to review an urgent “2025 Year-End Bonus Review” HR document
  • Email appears as a document review or e-signature notification related to HR processes

Step 2: User Directed to Malicious Document Link Using Redirect Obfuscation

25 16 Jan 2026 This Years Bonus Is Your Credentials 2
  • Email contains a link wrapped in a Google Maps redirect, obscuring the final destination and increasing user trust
  • Link appears to lead to a document review but instead redirects to attacker-controlled phishing infrastructure
  • Malicious infrastructure is hosted on an Amazon AWS bucket, leveraging legitimate hosting services to avoid detection

Step 3: Credential Harvesting via Microsoft Authentication Spoofing

25 16 Jan 2026 This Years Bonus Is Your Credentials 3
  • Redirect leads to a credential-harvesting page disguised as a Microsoft authentication portal
  • Page prompts victims to enter Microsoft login credentials under the pretense of reviewing HR documentation
  • Harvested credentials can enable attackers to gain unauthorized access to corporate Microsoft services

How Does This Attack Bypass Email Defenses?

This email attack bypasses traditional security solutions for several reasons, including:

  • Email originates from a compromised legitimate account, increasing sender trust and bypassing traditional trust-based filtering systems
  • Phishing infrastructure is hosted on Amazon AWS, leveraging legitimate cloud hosting to evade reputation-based blocking controls
  • Malicious link is concealed through Google Maps URL redirection, masking the final phishing destination

How Did Abnormal Detect This Attack?

This attack was detected using AI and ML by analyzing various factors, including:

  • Behavioral AI detects anomalies such as never-before-seen senders and abnormal communication patterns compared to expected sender behavior
  • Detection of suspicious URLs and redirection behavior inconsistent with legitimate HR communications
  • Natural language processing identifies urgency and financial-themed messaging patterns associated with social engineering attacks

By recognizing established normal behavior and detecting these abnormal indicators, a modern email security solution has the ability to prevent this attack from reaching inboxes.

Please note the exact detection mechanism from Abnormal AI’s system might include proprietary techniques and methodologies not disclosed here.

Classification

Credential PhishingLink-basedInternal SystemCredential Theft

Stop these attacks at your organization

See how Abnormal's behavioral AI detects the threats this digest covers — before they reach inboxes.

Request a Demo