This credential phishing attack features an impersonation of Amazon’s customer service team. Using language intended to sound authoritative, the attacker informs the recipient that suspicious activity on their Amazon account has been detected and has consequently triggered a temporary lock on the account. The email explains that the recipient must click on the provided link and confirm their account details to restore their account.

However, any sensitive information will likely be stolen if the target visits the page and enters their Amazon credentials. The threat actor employs social engineering tactics to add a sense of urgency, including threatening to permanently lock the account if the account details are not verified within a specific time frame.

Older, legacy email security tools have difficulty accurately flagging this email as an attack because of the lack of attachments, the masked link, and social engineering tactics. Modern, AI-powered email security solutions analyze the links and detect the SPF, DKIM, and DMARC failures and social engineering techniques to correctly identify this email as an attack.

Status Bar Dots
Oct25 Screenshot

How Does This Attack Bypass Email Defenses?

This email attack bypasses traditional security solutions for multiple reasons, including the following:

  • Lack of Attachments: The email does not contain any attachments, which are often a red flag for traditional security tools. Instead, the malicious content is embedded in the body of the email.
  • Masked Link: The link in the email body is masked, making it difficult for legacy security tools to identify it as malicious.
  • Social Engineering Tactics: The email uses social engineering tactics, such as urgency and fear, to trick the recipient into clicking the link. Traditional security tools often overlook these tactics.

How Did Abnormal Detect This Attack?

This attack was detected using AI and ML by analyzing various factors, including the following:

  • Link Analysis: Abnormal analyzes the masked link in the email body and identifies it as potentially malicious.
  • SPF, DKIM, and DMARC Failures: The email fails SPF, DKIM, and DMARC checks. Abnormal takes these failures into account when assessing the legitimacy of an email.
  • Content Analysis: Abnormal analyzes the content of the email and identifies suspicious elements such as social engineering techniques, including the request for the recipient to click a link to restore their account within a specific time frame.

By recognizing established normal behavior and detecting these abnormal indicators, a modern email security solution has the ability to prevent this attack from reaching inboxes.

Please note the exact detection mechanism from Abnormal Security's system might include proprietary techniques and methodologies not disclosed here.

Analysis Overview




Credential Theft


Spoofed Email Address
Masked Phishing Link


Suspicious Account Activity

Impersonated Party


Impersonated Brands


See How Abnormal Stops Emerging Attacks

See a Demo