In this attack, the email posed as a billing notification for the purchase of an upgraded Quickbooks license. The message indicated that an automatic payment of $1,277 would be debited from the recipient’s account within 48 hours; however, if they believed the charge was a mistake, they could call a “helpline” to cancel the purchase. The email was sent from a freely-available Gmail account.

Status Bar Dots
Quickbook fake billing

How Does This Attack Bypass Email Defenses?

Because the attack is text-based, without any other indicators of compromise, there is little for a secure email gateway to use to determine malicious intent. The email was sent from a Gmail account, a free webmail service available to anyone. As a result, there is no bad domain reputation for traditional security providers to discover, and the email passes all authentication checks for SPF, DKIM, and DMARC.

How Can This Attack Be Detected?

To detect this attack, an understanding of new threats is required alongside content analysis to detect the tone of the email and the included phone number. Lookalike content is also helpful to understanding how this attack relates to other phone-based text attacks, which have seen increased popularity in recent months due to their ability to bypass email gateways.

What are the Risks of This Attack?

If the recipient ends up calling the number provided, they would likely be instructed to download malicious software onto their computer. Once the malware is installed, attackers would be able to perform a variety of nefarious actions, including escalating it into a ransomware attack.

Analysis Overview




Malware Delivery


Free Webmail Account


Fake Payment Receipt

Impersonated Brands


See How Abnormal Stops Emerging Attacks

See a Demo