In this likely AI-generated malware delivery attack, the threat actor impersonates an insurance company representative. They inform the recipient that an insurance benefits package is attached along with an enrollment form that should be filled out and sent back. However, the attachment is likely a piece of malware, which will likely infect the recipient’s computer—exposing it to viruses, credential theft, or other consequences if interacted with. The attacker uses professional and direct language to create a sense of urgency to push engagement from the recipient. Additionally, the display name “Customer Benefits Insurance Group” and sender email “alerts@pssalerts[.]info” used by the attacker both appear genuine at first glance. But if the target replies, all responses will be routed to a Gmail account controlled by the attacker. 

Legacy security tools struggle to identify this email as an attack because of the lack of malicious links, legitimate-looking body content, and the attachment type. Modern, AI-powered security tools look at the mismatched reply-to addresses, the age of the domain, and the attachment to accurately identify this email as an attack.

Status Bar Dots
Sep22 Screenshot

How Does This Attack Bypass Email Defenses?

This email attack bypasses traditional security solutions for multiple reasons, including the following:

  • No Malicious Links: The email contains no links in the body text. Many legacy security tools scan for malicious links, so an email without any links might not be flagged as suspicious.
  • Legitimate-Looking Content: The email content looks legitimate and shows no signs of phishing or malicious intent. This could bypass content-based filters of legacy security tools.
  • Attachment Type: The email contains an HTML attachment. Some legacy security tools might not thoroughly scan or block HTML attachments, especially if they appear related to legitimate business operations.

How Did Abnormal Detect This Attack?

This attack was detected using AI and ML by analyzing various factors, including the following:

  • Reply-To Email Mismatch: The reply-to email "marshalljazon13@gmail[.]com" is different from the sender's mask email "alerts@pssalerts[.]info." This discrepancy is a red flag for Abnormal's detection models.
  • New Domain: The sender's domain is four months old. Abnormal considers the age of the domain as a factor in determining the email's legitimacy.
  • Attachment Type and Content: The email contains an HTML attachment, which can be a potential risk. Abnormal's AI analyzes the attachment's content for malicious or suspicious code.

By recognizing established normal behavior and detecting these abnormal indicators, a modern email security solution has the ability to prevent this attack from reaching inboxes.

Please note the exact detection mechanism from Abnormal Security's system might include proprietary techniques and methodologies not disclosed here.

Analysis Overview




Malware Delivery


Fake Attachment


Fake Document

Impersonated Party

External Party - Vendor/Supplier

AI Generated


See How Abnormal Stops Emerging Attacks

See a Demo