This credential phishing attack features an impersonation of Apple, pretending to be from their credit card support team. The email states that the recipient has a past-due balance and provides a link where they can pay it off. To appear credible, the attacker creates a fake landing page that mimics Apple’s credit card page, enticing the recipient to enter login credentials or other sensitive information. The attacker uses “” as the sending domain and cleverly names the account “Apple Card Support,” hoping the recipient will think Apple is providing legitimate information about their account. 

Legacy email security tools have difficulty identifying this email as an attack because of the lack of malicious attachments, the relatively old age of the domain, and the targeted nature of the phishing attempt. Modern, AI-powered security tools accurately identify this email as an attack with advanced behavioral profiling and by analyzing the links and content. 

Status Bar Dots
Sep7 Screenshot 1
Status Bar Dots
Sep7 Screenshot 2

The attacker creates a fake Apple Card landing page, making this attack more sophisticated and challenging to detect.

How Does This Attack Bypass Email Defenses?

This email attack bypasses traditional security solutions for multiple reasons, including the following:

  • No Malicious Attachments: The email does not contain any attachments, often a source of malware. Legacy security tools often scan attachments for known malware signatures, but there are none to check in this email.
  • Domain Age: Old or established domains can bypass legacy email defenses because they often rely heavily on reputation-based filtering. If a domain has been around for a long time and isn't associated with malicious activity, legacy tools will assume it's likely to have a good reputation. 
  • Targeted Phishing: The email is specifically addressed to an individual, making it a targeted attack. Legacy security tools are often less effective at detecting targeted attacks than mass phishing campaigns.

How Did Abnormal Detect This Attack?

This attack was detected using AI and ML by analyzing various factors, including the following:

  • Advanced Behavioral Analysis: Abnormal's AI analyzes the behavior of the sender and the recipient over time. In this case, it might have detected unusual behavior, such as the sender's domain never having sent emails to the company before, which is a strong sign of a potential attack.
  • Content Analysis: Abnormal's AI analyzes the content of the email for signs of phishing or other attacks. In this case, the email's content, which includes a request for immediate payment, is a common tactic in phishing attacks.
  • Link Analysis: Abnormal's AI analyzes the links included in the email. Even if the link is not known to be malicious, the system detected that the link redirects to a site that doesn't match the purported sender of the email, which is a common sign of a phishing attack.

By recognizing established normal behavior and detecting these abnormal indicators, a modern email security solution has the ability to prevent this attack from reaching inboxes.

Please note the exact detection mechanism from Abnormal Security's system might include proprietary techniques and methodologies not disclosed here.

Analysis Overview




Credential Theft


Branded Phishing Page


Overdue Payment

Impersonated Party


Impersonated Brands


See How Abnormal Stops Emerging Attacks

See a Demo