Get Your Complimentary Copy of the Gartner Market Guide For Email Security 2021 – Don’t miss out on the recommendations here

Request a Demo of Tessian Today.
Automatically stop data breaches and security threats caused by employees on email. Powered by machine learning, Tessian detects anomalies in real-time, integrating seamlessly with your email environment within minutes and starting protection in a day. Provides you with unparalleled visibility into human security risks to remediate threats and ensure compliance.

Spear Phishing Examples: Real Examples of Email Attacks

  • By Maddie Rosenthal
  • 04 March 2021

Tessian’s mission is to secure the human layer by empowering people to do their best work, without security getting in their way.

75% of organizations experienced some kind of phishing attack in 2020. Of those attacks, almost all (96%) arrived via email.

So, what does a phishing attack look like? We’re rounded up 5 REAL examples of spear phishing attacks, all detected (and prevented) by Tessian Defender. See those alerts at the top of each email? These are Defender’s in-the-moment warnings that explain exactly why the email has been flagged as suspicious. 

If you’re looking for more information about phishing, check out these resources:

  1. What is Phishing?
  2. What is Spear Phishing?
  3. Must-Know Phishing Statistics: Updated 2021
  4. Phishing vs. Spear Phishing
  5. What Does a Spear Phishing Email Look Like?

Example 1: The attacker is encouraging the target to sign an “updated employee handbook” 📋

This is an example of a spear phishing email where the attacker is pretending to work in HR and is encouraging the target to sign a new employee handbook.

Let’s break down this spear phishing attack.

  1. In this example, the attacker is pretending to be an HR employee. But, the sender’s email address <[REDACTED]@ntlworld.com> does not match the domain of the target.
  2. In the email, the attacker is claiming that the target needs to sign a new employee handbook, and provides a link, which leads to an online Word document. 
This is an online document - linked in the spear phishing email - that leads users to a malicious URL.
  1. This document prompts the target to click on another link, which leads the user to a fake O365 login page. The goal: To gain access to the target’s login credentials. This is called credential phishing.
  2. The attacker is using social engineering tactics to motivate the user to act now. For example, noting that “20% of employees have already accepted” and “we are all required to review and sign an acknowledgement of the handbook upon receipt of this email”. 
  3. COVID-19 is also used as a pretext for sending the handbook in the first place, which gives legitimacy to their request.

Further reading:

COVID-19: Real-World Examples of Opportunistic Phishing Attacks  

How Hackers Are Exploiting the COVID-19 Vaccine Rollout

Example 2: The email is a spoof of an MS Teams notification 🔔

This is an example of a spear phishing email involving a fake Microsoft Teams notification.

Let’s break down this spear phishing attack.

  1. In this example, the attacker is leveraging a fake notification from a trusted platform – Microsoft Teams – instead of impersonating a trusted person/team.
  2. The goal? Credential theft. If the user clicks on the “Reply in Teams” button, they’ll be led to a fake login page. If they enter their details, their account will be compromised. And, if the employee uses the same password for multiple accounts (which 85% of employees do), the bad actor could have access to multiple systems.
If the target follows the link in the phishing email, they'll end up here: a fake Microsoft Teams login page.

Note: Instead of seeing “xxxxxx”, the target would see their email address. Not only does this  increase the legitimacy of the webpage and make the user feel like they’ve logged in before, it also reduces the friction for the user to move on to the next step, which will be entering their password. 

  1. If you actually did use Microsoft Teams at work, you’d have no reason to believe this is suspicious or malicious. The email looks like the real deal and was likely templated from a genuine notification.
  2. The email itself is a domain spoof, and spoofs the target’s own email address. This is particularly clever because – well – it’s not implausible that Microsoft Teams would actually send emails “from” the user’s own email address.

Further reading:

 What is Email Spoofing? How Does Email Spoofing Work?

Example 3: The attacker is pretending to be a new starter 👋🏾

In this example of a spear phishing email, the attacker is pretending to be a new starter at a company.

Let’s break down this spear phishing attack.

  1. In this example, the attacker is pretending to be a new starter at the target’s company’s outsourced HR management firm. This is an especially effective social engineering tactic that preys on human kindness. Who doesn’t want to help out a newbie? 
  2. The language in the email is also quite informal and friendly; this will make the target feel comfortable and lower their guard. 
  3. At face value, the email address <edwards@[REDACTED].com> isn’t suspicious. But, it may raise red flags for the target if he or she hasn’t heard from anyone with that domain before. But only 54% of employees say they look at the sender’s email address before responding to an email or actioning a request. 
  4. The attacker is trying to encourage the target to click on a link to preview a PDF urgently – “in the next two hours”. Tessian Defender has also flagged that this is a bitly link. Bad actors often use these shortened URLs to make it more difficult for the target to know what website they’ll be taken to if they do click. 
  5. Of course, the link doesn’t lead to a PDF. It leads to a malicious website. If the target were to click the download button, malware would likely be deployed.
This is a malicious website. If the target clicks the "Preview" button, malware will likely be deployed.

Example 4: The email claims to be verifying account activity on GoDaddy ✅

In this example of a spear phishing email, the attacker is impersonating GoDaddy.

Let’s break down this spear phishing attack.

  1. In this example, the attacker is impersonating GoDaddy – the world’s largest domain register company, with over 40 million domain names under its management.
  2. While GoDaddy appears in the Display Name and several times in the body of the email (including a logo), and there aren’t any obvious spelling errors or grammar mistakes, a savvy employee would notice that the sender’s email address <[REDACTED]@hotmail.com> doesn’t match. Remember, though: Most employees don’t examine email addresses before responding or actioning a request.
  3. Again, the name of the game here is credential phishing. If the target follows the link to “prove they’re the account holder” they’ll be sent to a fake GoDaddy sign-in page. If they enter their login details, their credentials will be compromised.
  4. This is an especially dangerous attack because – if an employee’s login credentials for GoDaddy were compromised – the attacker could (quite literally) take over your website. They could steal your customer’s data or even use your website to host other phishing websites. 

Example 5: The email appears to be sent from the company’s Microsoft File Sharing service 📎

In this example of a spear phishing attack, the attacker has used a template to create a lookalike Microsoft File Sharing notification.

Let’s break down this phishing attack.

  1. Again, in this example, the attacker is leveraging a fake notification from Microsoft. This time, though, it’s from Microsoft File Sharing service.
  2. Unsurprisingly, the attacker is after the target’s credentials. (This is called credential phishing, remember?) If the user clicks on the “Preview Online” button – a malicious link – they’ll be taken to a lookalike website. 
  3. If the target does input their credentials, they won’t login to Microsoft File Sharing. Instead, the details will be sent directly to the hacker, who will then have easy access to the user’s account. 
  4. Notice that the notification is well-formatted and looks like a genuine email from Microsoft. There aren’t any obvious spelling or grammar errors. The average person would likely fall for this attack. 
  5. The “[REDACTED], FIY” note was included on purpose. The attacker is trying to pique the target’s interest. Wouldn’t you want to know what the message said? The more curious and emotional we get, the more likely we are to click a link without thinking of security.

Did you know? Microsoft is one of the most impersonated brands in phishing attacks. Find out who else makes the list.

Maddie Rosenthal