The attack attempts to get the recipient to pay a supposedly past-due invoice in a fake billing scam. The email seeks to exploit human psychology by offering the victim the opportunity to become debt-free by paying a smaller balance, and claims this payment will also delete the debt from credit reports after the victim replies to the email to begin the payment process. 

By spoofing a known entity and utilizing an Outlook domain, this attack targets human psychology and bypasses legacy email defense tools. These types of attacks can only be detected and thwarted with advanced email security solutions built to understand behavioral profiles and detect anomalous activity.

Status Bar Dots
Matrix extortion

Why Does This Attack Bypass Email Defenses?

This email attack bypasses traditional security solutions for multiple reasons, including the following:

  • Spoofing a known entity: Attackers often bypass legacy defenses by pretending to be a known or reputable organization. In this instance, the attacker is attempting to leverage authority by posing as an attorney for a debt relief agency.
  • Targeting human psychology: Knowing that the recipient may be afraid of legal action, the email provides multiple options to pay quickly and states that the money will be turned over to an outside collector if not paid. Since this is a text-only email, traditional tools will not recognize its malicious intent. 
  • Use of legitimate email providers: This attack is sent from an Outlook domain, which can’t be easily added to a blocklist as it is one of the most commonly used email services.

How Can This Attack Be Detected?

This attack was detected by analyzing various factors, including the following:

  • Anomaly detection: Modern email security solutions have the capability to identify anomalous behavior, such as the absence of any previous correspondence between the sender and the recipient.
  • Sender reputation analysis: Machine learning can assess the reputation of the email sender, evaluating factors like past interactions and known associations with malicious activity.
  • Data enrichment: Integrating external threat intelligence sources and databases with machine learning algorithms can provide additional context and enhance detection capabilities. These sources generate a vast amount of data, including IP addresses, domain names, URLs, file hashes, malware samples, and other indicators of potential threats made for debt relief scams and similar attacks.

By recognizing familiar patterns of normal behavior and identifying these abnormal indicators, a modern email security solution can effectively block this attack from reaching inboxes.

Please note the exact detection mechanism from Abnormal Security's system might include proprietary techniques and methodologies not disclosed here.

Analysis Overview




Payment Fraud


Free Webmail Account


Debt Collection

Impersonated Party

External Party - Vendor/Supplier

Impersonated Brands

Matrix Debt Relief

See How Abnormal Stops Emerging Attacks

See a Demo