In this credential phishing attack, the threat actor impersonates Craigslist to deceive recipients into providing sensitive payment information. The likely AI-generated email uses the subject line "Action Required: Payment for Paid Post Declined or Failed" and is spoofed to appear as if it is sent from “craigslist[.]org@verification[.]net”—a domain that has been in existence for 23 years. The email claims that a payment for a Craigslist post has failed and urges the recipient to visit the URL “secure-craiglist-org.clvq[.]bz” to resolve the payment issue. However, if the target enters the URL, they are taken to a fraudulent website designed to steal payment credentials. By mimicking Craigslist's communication style and using a long-established domain, the attacker aims to compel recipients to act quickly without verifying the authenticity of the email.

Older, legacy email security tools struggle to accurately identify this email as an attack because it comes from a spoofed email account, imitates a trusted brand, and contains an obfuscated malicious link. Modern, AI-powered email security solutions detect the spoofed address, recognize messages coming from an unknown sender, and analyze the reputation and history of included links to mark this email as an attack correctly.

Status Bar Dots
AI AI Generated Phishing Attack Spoofs Craigslist Email E
Status Bar Dots
AI AI Generated Phishing Attack Spoofs Craigslist LP

Phishing page designed to appear as Craiglist payment portal.

How Does This Attack Bypass Email Defenses?

This email attack bypasses traditional security solutions for multiple reasons, including the following:

  • Spoofed Email Address: The attacker uses a spoofed email address, “craigslist[.]org@verification[.]net,” which appears legitimate, making it difficult for basic email filters to detect the deception.
  • Use of Trusted Brands: The email leverages the imitation of a well-known and trusted brand like Craigslist, which can reduce suspicion and make it more likely to bypass heuristic-based detection systems.
  • Obfuscated Malicious Link: The phishing link “secure-craiglist-org.clvq[.]bz” is obfuscated to look like a legitimate Craigslist link, making it harder for URL-based security tools to detect it as malicious.

How Did Abnormal Detect This Attack?

This attack was detected using AI and ML by analyzing various factors, including the following:

  • Spoof Detection: Abnormal identifies discrepancies between the sender's email address and the reply-to address, as well as other spoofing indicators, and flags the email as suspicious.
  • Unknown Sender Detection: Abnormal flags the email as suspicious because the sender, “craigslist[.]org@verification[.]net”, is not recognized as a known or trusted contact within the recipient's usual communication network.
  • Link Analysis: Abnormal performs deep link analysis, identifying that the link “secure-craiglist-org.clvq[.]bz” is not associated with the legitimate Craigslist domain and is instead a cleverly disguised phishing URL.

By recognizing established normal behavior and detecting these abnormal indicators, a modern email security solution has the ability to prevent this attack from reaching inboxes.

Please note the exact detection mechanism from Abnormal Security's system might include proprietary techniques and methodologies not disclosed here.

Analysis Overview




Credential Theft


Spoofed Display Name
Masked Phishing Link


Suspended Account

Impersonated Party


Impersonated Brands


See How Abnormal Stops Emerging Attacks

See a Demo