This multi-step, likely AI-generated credential phishing account features an impersonation of Coinbase, one of the largest cryptocurrency exchanges in the world. To begin, an attacker leverages a Dutch sending domain, "hem[.]nl," and names the domain "COINBASE #525220366" to seem more legitimate. This action alone enables the email to pass several simple security checks since "hem[.]nl" is a well-established domain from a reputable company. The subject line of the attacker's email is intended to create a sense of urgency. It reads, "Immediate Action Required: Withdraw Your Tokens Now from Blocked Coinbase Account вль пёу - Saturday, April 13, 2024," hoping to prompt the target to take immediate action. 

Next, the attacker creates an email miming Coinbase's legitimate communications, including the logo and design elements. The email explains that Coinbase is temporarily blocking access to the target's account due to suspicious account activity to protect them. The target is offered the opportunity to remove their tokens from their Coinbase wallet before any further action regarding their account is taken. Two different buttons are included in the email, labeled "Withdraw All Tokens Now." If the target clicks either button, they're taken to a landing page resembling Coinbase's wallet dashboard. The landing page states that the target's account is temporarily suspended, and their funds must immediately be removed from the platform. Several popular cryptocurrencies are listed in the spoofed wallet, and "Withdraw" buttons are shown for each token, presumably to enable the target to withdraw them from Coinbase's platform per the instructions on the page.

Since cryptocurrency transfers require private keys, this attack aims to create a sense of urgency and prompt the target to enter private keys or Coinbase login credentials into the fake landing page, allowing the attacker to access their real account and siphon their funds. 

Older, legacy email security tools struggle to accurately identify this email as an attack because it contains no malicious attachments, uses social engineering techniques, and comes from a reputable, well-established sending domain. Modern, AI-powered email security solutions analyze the links and content and flag the unknown sender to mark this email as an attack correctly.

Status Bar Dots
March 30th Screenshot 1
Status Bar Dots
March 30th Screenshot 2

The attacker creates a spoofed Coinbase wallet dashboard with prompts to withdraw tokens from the platform.

How Does This Attack Bypass Email Defenses?

This email attack bypasses traditional security solutions for multiple reasons, including the following:

  • Lack of Malicious Attachments: Many legacy security tools rely on scanning attachments for malware. This attack does not use attachments, relying instead on phishing links, which can sometimes evade detection.
  • Social Engineering: The content of the email leverages social engineering tactics, creating a sense of urgency and fear. Legacy tools may not effectively analyze the context and intent behind the email content.
  • Use of Established Domain: The attacker's email originates from a domain "hem[.]nl" that has been around for 23 years, which might not raise immediate red flags for legacy tools that often automatically do not flag older domains as suspicious.

How Did Abnormal Detect This Attack?

This attack was detected using AI and ML by analyzing various factors, including the following:

  • Link Analysis: Abnormal analyzes links contained in emails, using advanced techniques to assess the legitimacy of the URLs, even if they have yet to be widely recognized as malicious.
  • Content Analysis: Analyzes analyzes email content and looks for phishing indicators within the email text, such as urgent calls to action, requests for sensitive actions like withdrawals, and other signs of phishing scams.
  • Unknown Sender Domain: Abnormal flags that the domain used to send this email is an unknown domain to which the company has never sent messages in the past. This is a strong sign that the message may not be from a safe source.

By recognizing established normal behavior and detecting these abnormal indicators, a modern email security solution has the ability to prevent this attack from reaching inboxes.

Please note the exact detection mechanism from Abnormal Security's system might include proprietary techniques and methodologies not disclosed here.

Analysis Overview




Credential Theft


Free Webmail Account
Branded Phishing Page
Fake Website


Suspicious Account Activity

Impersonated Party


Impersonated Brands


AI Generated


See How Abnormal Stops Emerging Attacks

See a Demo