This likely AI-generated credential phishing scam features an impersonation of Medicare Australia, Australia's public health insurance option. The sending domain is “contact@empresta[.]com[.]br,” which is unrelated to Medicare, but the attacker obscures this mismatch by using a display name of “Medicare.”

The email is written in official-sounding language and informs the recipient that their Medicare service has been temporarily suspended due to insufficient contact information. The attacker provides a link to update contact information that, if clicked on, leads to a credential phishing website where sensitive information is at risk. 

Older, legacy email security tools have difficulty flagging this email because of the spoofed sender, the lack of attachments, and the legitimate-looking content of the email. Advanced, AI-powered email security solutions analyze the email’s content and links as well as the job title of the recipient to identify this email as an attack accurately.

Status Bar Dots
Oct16 Screenshot

How Does This Attack Bypass Email Defenses?

This email attack bypasses traditional security solutions for multiple reasons, including the following:

  • Spoofed Sender: The email appears to come from a legitimate source, “contact@empresta[.]com[.]br,” which could bypass security checks that only look for known malicious senders.
  • Lack of Attachments: The email does not contain any attachments, which are often a red flag for legacy security tools. Instead, the attack is carried out through a link in the email body.
  • Legitimate-looking Content: The email content is designed to look like an official communication from Medicare Australia, which could trick both users and basic content filters into thinking it's safe.

How Did Abnormal Detect This Attack?

This attack was detected using AI and ML by analyzing various factors, including the following:

  • Suspicious Email Content: The email content, which claims to be from Medicare Australia and asks the recipient to update their information, is a common phishing tactic. Abnormal's advanced content analysis detects this suspicious behavior.
  • Suspicious Link: The email contains a link that leads to a suspicious URL. Abnormal's system analyzes these links and flags them as potentially malicious.
  • Recipient's Job Title: The email's recipient is a high-ranking executive, making them a target for spear phishing attacks. Abnormal's system takes the recipient's job title into account when assessing the risk of an email.

By recognizing established normal behavior and detecting these abnormal indicators, a modern email security solution has the ability to prevent this attack from reaching inboxes.

Please note the exact detection mechanism from Abnormal Security's system might include proprietary techniques and methodologies not disclosed here.

Analysis Overview




Credential Theft


Masked Phishing Link


Account Update

Impersonated Party

Government Agency

Impersonated Brands

Medicare Australia

AI Generated


See How Abnormal Stops Emerging Attacks

See a Demo