This likely AI-generated financial services scam features an impersonation of a Metlife advisor named Frank Stockton, who offers the recipient an investment opportunity with a high net-worth individual. The attacker describes a scheme where the recipient will receive funds on someone else’s behalf to invest them wisely, purportedly incentivizing the recipient to participate. The email is written with many financial terms and lacks the traditional markers of a typical scam, like spelling or grammatical errors. Furthermore, the attacker doesn’t provide any links or attachments, as this initial email aims to build a relationship with the recipient and gain trust. These social engineering techniques combined with the finance-related sending domain “” make this a sophisticated and difficult-to-detect attack. 

Older security tools struggle to accurately detect this as an attack because of the lack of attachments and links, the unknown SPF, DKIM, and DMARC statuses, and the social engineering techniques utilized in the message. Advanced, AI-powered email security solutions analyze the email content, the domain age and rarity, and the lack of recipient information in the email’s header to accurately identify this as an attack.

Status Bar Dots
Aug25 Screenshot

How Does This Attack Bypass Email Defenses?

This email attack bypasses traditional security solutions for multiple reasons, including the following:

  • Lack of Attachments or Links: Traditional security tools often rely on scanning attachments or links for malicious content. This email contains no attachments or links, making it difficult for legacy tools to detect.
  • SPF, DKIM, and DMARC Status: The SPF, DKIM, and DMARC status of this email are all marked as "None," meaning those security measures are not in place for this email. Traditional security tools often rely on these to verify the authenticity of an email.
  • Social Engineering: The email uses social engineering techniques to persuade the recipient to engage in potentially risky financial transactions. Traditional security tools may not be able to detect this type of threat.

How Did Abnormal Detect This Attack?

This attack was detected using AI and ML by analyzing various factors, including the following:

  • Domain Age and Rarity: Abnormal's system looks at the age of the sender's domain and whether it's a domain that has had any prior connection with the recipient. In this case, even though the domain is old, it's unknown to the recipient, raising suspicion.
  • Lack of Recipient Information: The email does not specify recipients in the "To" field of the email's header, which is unusual for legitimate emails and can signify a mass phishing attempt.
  • Content Analysis: Abnormal's AI analyzes the content of the email for signs of a scam. In this case, the offer to receive and invest funds on behalf of someone else is a common tactic used in financial scams.

By recognizing established normal behavior and detecting these abnormal indicators, a modern email security solution has the ability to prevent this attack from reaching inboxes.

Please note the exact detection mechanism from Abnormal Security's system might include proprietary techniques and methodologies not disclosed here.

Analysis Overview


Financial Services Scam




Payment Fraud


Maliciously Registered Domain


Financial Services

Impersonated Party


Impersonated Brands


AI Generated


See How Abnormal Stops Emerging Attacks

See a Demo