Knowing that people have a need for privacy, attackers often use fear to prompt their victims to pay a fee. In this email, the attacker uses only text and states that he has bad news for the victim: he has full access to data that contains personal photos and videos, chats, documents, emails, browsing history, social media history, and more. The attacker then asks the recipient to pay $1500 USD via Bitcoin, after which there will be nothing to worry about—no chats, no photos, nothing. 

To set up this attack, the threat actor first used a reconnaissance email containing 1x1 image pixel to find legitimate recipient email addresses where the victim is likely to open the email. After setting up a personal Bitcoin wallet to accept payments, the attacker spoofs the very same email of the recipient, hoping that the added legitimacy of the attack originating from the victims own account will help increase the legitimacy of it.  

Status Bar Dots
628313bc75d3e34e161a789f 1368843898

Why It Bypassed Traditional Security

This attack is solely text-based, with no traditional indicators of compromise. Without an understanding of the content and tone of the message, there is no way for an email security solution to understand that this email has malicious intent. 

Detecting the Attack

Content analysis using natural language processing is required to detect the presence of the extortion attack. In conjunction with the content analysis, the fact that the email is spoofed can be a good signal to detect the attack and flag it for further review. 

Risk to Organization

This attack targets individuals on a personal level, requesting that they pay $1500 out of pocket to keep their privacy. While this is not a direct business loss, this type of attack can distract employees from their work and in some cases, make them fearful of their future with the company.

Analysis Overview






Self-Addressed Spoofed Email



See How Abnormal Stops Emerging Attacks

See a Demo