In this credential phishing attack, the threat actor spoofs what appears to be a legitimate email on a Japanese domain, “info@fundot[.]jp,” and then impersonates Canada Post to send a fake notification about a failed package delivery. Using a display name of “Postes/Canada[.]ca” and authentic-sounding language, the attacker claims the target has a pending delivery that must be rescheduled. A tracking number is included, as well as a link that the target can purportedly use to update their information and request a new shipment for “a small fee.” However, the link likely leads to a credential phishing website where sensitive information, including payment details, is at risk of being compromised. The attacker also includes a disclaimer about not replying to the message to encourage the target to use the contained link to resolve the issue.

Older, legacy security tools have difficulty properly flagging this email as an attack because it was sent from a spoofed email address, includes legitimate-looking content, and contains no executable attachments. Modern, AI-powered email security solutions analyze the links and email content while using behavioral analysis to identify this email as an attack accurately. 

Status Bar Dots
Nov29 Screenshot

How Does This Attack Bypass Email Defenses?

This email attack bypasses traditional security solutions for multiple reasons, including the following:

  • Spoofed Email Address: The email comes from a spoofed email address, “info@fundot[.]jp” which appears to be a legitimate domain. Traditional security tools may not be able to detect this discrepancy.
  • Legitimate-Looking Content: The email content is designed to look like a legitimate delivery notification from Canada Post, which can easily trick traditional security tools that primarily focus on the content of the email.
  • No Attachments: The email contains no attachments, which is often a key consideration of traditional security tools. This means that the email could bypass security checks that focus on attachments.

How Did Abnormal Detect This Attack?

This attack was detected using AI and ML by analyzing various factors, including the following:

  • Link Analysis: Abnormal analyzes all the links embedded in the email. In this case, the email contained multiple links, some leading to unknown or potentially malicious websites. This would have been a strong indicator of a phishing attempt.
  • Content Analysis: Abnormal analyzes the email content to detect potential threats. In this case, the email content was designed to look like a legitimate delivery notification from Canada Post, but the request for a small fee to reschedule the shipment is a strong indicator of a scam.
  • Unknown Sender and Domain Analysis: Abnormal determines that the email is from an unknown sender and domain that the company has never interacted with before. This is a strong signal that the message could be malicious.

By recognizing established normal behavior and detecting these abnormal indicators, a modern email security solution has the ability to prevent this attack from reaching inboxes.

Please note the exact detection mechanism from Abnormal Security's system might include proprietary techniques and methodologies not disclosed here.

Analysis Overview

Vector

Link-based

Goal

Credential Theft

Tactic

Spoofed Display Name
Masked Phishing Link

Theme

Fake Shipping Notification

Impersonated Party

Government Agency

Impersonated Brands

Canada Post

See How Abnormal Stops Emerging Attacks

See a Demo