Skip to main content
Abnormal Intelligence

Credential Phishing

Fake Purchase Order Phishing Delivered via Compromised Account and Tykit Infrastructure

Compromised account sends fake purchase order PDF leading to credential-harvesting page hosted on compromised WordPress infrastructure.

November 26, 2025

Attack Overview

Step 1: Fake Purchase Order Email Sent from Compromised Account

Aot W Threat Intel Digest 23 21 Nov 2025 1
  • Email is sent from a compromised legitimate account, bypassing traditional trust-based email filtering controls
  • Message contains a file titled “Purchase Orders (new budget)” designed to appear as a legitimate financial or procurement document
  • Email encourages recipients to review or open the attached purchase order document

Step 2: User Opens PDF-Style Attachment That Redirects to Phishing Infrastructure

Aot W Threat Intel Digest 23 21 Nov 2025 2
  • Attachment appears as a PDF file but functions as a link redirecting targets to an external credential-harvesting site
  • Malicious link is wrapped in a Safe Link wrapper, increasing perceived legitimacy and click-through likelihood
  • Phishing infrastructure is hosted on a compromised WordPress domain previously associated with the Tykit phishing kit

Step 3: Credential Harvesting Through Document Access Prompt

Aot W Threat Intel Digest 23 21 Nov 2025 3
  • Targets are prompted to enter login credentials to view a protected document
  • Credential capture page is presented as a document authentication or secure viewing interface
  • Harvested credentials may enable attackers to gain unauthorized access to corporate accounts or services

How Does This Attack Bypass Traditional Email Defenses?

  • Email originates from a compromised legitimate account, increasing sender trust and bypassing trust-based filtering systems
  • Credential-harvesting infrastructure is hosted on a compromised WordPress domain, leveraging legitimate website hosting to avoid detection
  • Safe Link wrapping obscures the final malicious destination, increasing user confidence and click-through success

For these reasons, traditional security solutions, such as legacy secure email gateways (SEGs), would be less likely to flag this email as a threat.

How Did Abnormal Detect This Attack?

  • Behavioral AI detects anomalies such as never-before-seen sender activity and unusual communication patterns
  • Detection of suspicious URL redirection and infrastructure inconsistent with expected procurement or financial workflows
  • Natural language processing identifies urgency and financial-themed messaging commonly associated with phishing campaigns

By recognizing established normal behavior and detecting these abnormal indicators, a modern email security solution has the ability to prevent this attack from reaching inboxes.

Please note the exact detection mechanism from Abnormal AI's system might include proprietary techniques and methodologies not disclosed here.

Classification

Credential PhishingPayload-basedExternal Party - Vendor/SupplierCredential Theft

Stop these attacks at your organization

See how Abnormal's behavioral AI detects the threats this digest covers — before they reach inboxes.

Request a Demo