This credential phishing attack features an impersonation of Amazon. Using conversational and friendly language, the attacker informs the recipient that a recent order is stuck in processing and offers a full refund. The email includes a link with the anchor text "Apply Refund," which the recipient can click on to start the refund process, though the link is malicious and will be used to steal the recipient's credentials. To appear more credible, the attacker utilizes the look-alike domain "," which might be mistaken for legitimate communications in passing.

Legacy tools have trouble detecting this as an attack because of the lack of attachments, the newly registered domain, and the spoofed email address. Modern AI-powered security solutions analyze the links, content, and sender to flag this email as an attack correctly.

Status Bar Dots
Aug21 Screenshot

How Does This Attack Bypass Email Defenses?

This email attack bypasses traditional security solutions for multiple reasons, including the following:

  • Lack of Attachments: The email does not contain any attachments, often a focus of legacy security tools. This email may bypass security measures that primarily focus on scanning attachments for malicious content.
  • Newly Registered Domain: The sender's domain is newly registered (domain age is 25 days). Legacy security tools may be unable to track and flag newly registered domains, allowing the email to bypass security measures.
  • Spoofed Email Address: The email appears to be from "," a spoofed address. Legacy security tools may not detect this, allowing the email to bypass security measures.

How Did Abnormal Detect This Attack?

This attack was detected using AI and ML by analyzing various factors, including the following:

  • Link Analysis: Abnormal analyzes the links in the email body. In this case, the link leads to a potentially malicious website where credentials are likely to be stolen.
  • Email Content Analysis: Abnormal's AI can detect suspicious patterns in the email content, including refund offers, a common tactic used in phishing attacks.
  • Sender Analysis: The system checks if the email address used to send this message is unknown. In this case, "" is unknown and a strong signal of a potential attack.

A modern email security solution can prevent this attack from reaching inboxes by recognizing established normal behavior and detecting these abnormal indicators.

Please note the exact detection mechanism from Abnormal Security's system might include proprietary techniques and methodologies not disclosed here.

Analysis Overview




Credential Theft


Maliciously Registered Domain


Account Verification

Impersonated Party


Impersonated Brands


See How Abnormal Stops Emerging Attacks

See a Demo