In this attack, the attacker impersonated the internal support team for a retailer and sent a notification to the owner of an email distribution list that a request had been made to deactivate the email account.

Status Bar Dots
UA Fake Email Deactivation Notice Email E

The email warns that the deactivation request will be processed shortly and advises the recipient to cancel the request immediately if it was made in error. The message states that if the recipient doesn’t cancel the deactivation by clicking on the link provided, all email data will be permanently deleted. Had the recipient clicked on the link, however, they would’ve been redirected to a page likely designed to either steal credentials or download malware.

How Does This Attack Bypass Email Defenses?

The email has various characteristics that allow it to bypass traditional email defenses. The email passed all authentication checks for SPF, DKIM, and DMARC, which are standard email authentication protocols. Additionally, the email was sent from a legitimate domain, which makes it appear genuine at first glance. Moreover, the email was sent from a Gmail account, a free webmail service available to anyone, making it challenging for traditional security providers to find bad domain reputation.

How Can This Attack Be Detected?

A behavioral system that detects anomalies in the email system can be used to stop attacks that bypass traditional email defenses. These systems analyze the intent of the email, alongside other signals acquired through content analysis, to identify when an email may be malicious. Additionally, by monitoring web links contained in emails, security solutions cans prevent phishing attacks from succeeding. Organizational efforts at keeping employees informed, trained, and aware of the latest attack methodologies and common characteristics of phishing scams can also minimize the risk of such an attack.

What are the Risks of This Attack?

If the recipient had clicked on the link provided within the email and entered their login credentials or inadvertently downloaded malware, the attacker would have gained access to the account and all the associated data. This could result in unauthorized access to confidential information, potential data breaches, and reputational damage.

Analysis Overview




Malware Delivery
Credential Theft


Personalized Email Subject
Free Webmail Account
Spoofed Email Address
Legitimate Hosting Infrastructure


Account Update

See How Abnormal Stops Emerging Attacks

See a Demo