This credential phishing attack features an impersonation of Capital One. Using the domain “idbuffet[.]com” as a mask through spoofing, the threat actor pretends to be from Capital One’s customer service team, informing the target that due to recent fraud attempts, there are holds on their account that must be reviewed. The sender display name is named “Capital One” to appear authentic. The attacker includes a “Review Now” button which leads to a fake Capital One landing page where the target is supposed to log in and review their account. The landing page is cleverly designed to look very similar to Capital One’s legitimate website, and if the target enters their Capital One credentials, they will likely be stolen.

Older, legacy tools struggle to accurately flag this email as an attack because it spoofs a legitimate entity, employs a sense of urgency, and contains no malicious attachments. Modern, AI-powered email security solutions examine the content, analyze the links, and detect the unknown domain to correctly identify this email as an attack.

Status Bar Dots
AL Capital One Impersonator Email
Status Bar Dots
AL Capital One Impersonator Phishing Page

The attacker creates a fake Capital One login page that looks authentic.

How Does This Attack Bypass Email Defenses?

This email attack bypasses traditional security solutions for multiple reasons, including the following:

  • Spoofing a Legitimate Entity: The attacker is impersonating Capital One, a well-known financial institution. Legacy security tools often struggle to detect this type of spoofing, especially if the email does not contain any obvious signs of being malicious.
  • Sense of Urgency: The email creates a sense of urgency by claiming that there are issues with the recipient's account. This is a common tactic used by attackers to encourage the recipient to act quickly, without taking the time to question the legitimacy of the email. Legacy security tools may not be able to detect this psychological manipulation.
  • No Malicious Attachments: The email does not contain any attachments, which are often scanned for malware by legacy security tools.

How Did Abnormal Detect This Attack?

This attack was detected using AI and ML by analyzing various factors, including the following:

  • Content Analysis: Abnormal examines the content of the email, including the subject, body text, and any links or attachments. In this case, the system would have identified the urgent language and the request for the recipient to click on a link to review their account as potential indicators of a phishing attempt.
  • Link Analysis: Abnormal analyzes the links included in the email. In this case, the system would have identified the links as potentially suspicious, especially given the context of the email.
  • Unknown Domain: Abnormal checks if the domain used to send the email is unknown. The domain has never been used to send emails to the target in the past. Abnormal considers this a strong indicator of a phishing attempt.

By recognizing established normal behavior and detecting these abnormal indicators, a modern email security solution has the ability to prevent this attack from reaching inboxes.

Please note the exact detection mechanism from Abnormal Security's system might include proprietary techniques and methodologies not disclosed here.

Analysis Overview




Credential Theft


Spoofed Display Name
Masked Phishing Link
Branded Phishing Page


Suspicious Account Activity
Financial Services

Impersonated Party


Impersonated Brands

Capital One

See How Abnormal Stops Emerging Attacks

See a Demo