In this credential phishing attack, the threat actor poses as a representative from Meta, the parent company of Facebook, and emails the target claiming their account is scheduled for deletion. To manufacture a sense of urgency and compel the recipient to act quickly, the message informs the target that unless they use the included link to cancel the deletion process within two days, they will lose access to their account and any associated content. While the initial link leads to Facebook, the Facebook page likely contains another prompt designed to lead the victim to a phishing site. This secondary destination would be where the actual phishing attempt occurs, and any details provided by the target, such as login credentials or private information, will be stolen by the attacker. The perpetrator applies multiple tactics to increase the appearance of legitimacy, including setting the sender display name as “John from Meta”, incorporating Meta branding into the email body, and hosting the malicious link on a trusted domain (facebook[.]com). The attacker also utilizes Xero, a legitimate accounting software, to send the message, increasing the chances the email would bypass legacy security tools.

Older, legacy email security tools struggle to properly identify this email as an attack because it utilizes sophisticated spoof techniques, the link included in the email is hosted on a trusted domain, and the message contains no malicious attachments. Modern, AI-powered email security solutions analyze the context of the message as well as the links and detect the use of a spoofed reply-to address to correctly mark this email as an attack.

Status Bar Dots
AI Meta Impersonator Exploits Legitimate Domain Email E

How Does This Attack Bypass Email Defenses?

This email attack bypasses traditional security solutions for multiple reasons, including the following:

  • Use of Trusted Domains: The email includes links to well-known and trusted domains like facebook[.]com, which are typically whitelisted by legacy security systems. This can make it harder for these systems to flag the email as suspicious based solely on the domain reputation.
  • Sophisticated Spoofing Techniques: The attacker uses a spoofed "Reply-To" address that differs from the sender's email, a tactic that might not be thoroughly checked by older security systems.
  • Lack of Malicious Attachments: The email does not contain any attachments, which are often a focus of traditional security tools. Without attachments to scan for malware, the email might not raise immediate red flags.

How Did Abnormal Detect This Attack?

This attack was detected using AI and ML by analyzing various factors, including the following:

  • Contextual Understanding: The system analyzes the context of the message, recognizing the urgency and threat of account deletion as potential indicators of phishing, especially when combined with a request to follow a link.
  • Link Analysis: Despite the use of a trusted domain like Facebook, Abnormal Security performs deep link analysis to understand the true nature of the URL and its potential to redirect to a phishing site.
  • Spoofed Reply-To Detection: Abnormal's sophisticated algorithms can detect and flag discrepancies between the "Reply-To" and "From" addresses, which is a common tactic used in phishing attempts.

By recognizing established normal behavior and detecting these abnormal indicators, a modern email security solution has the ability to prevent this attack from reaching inboxes.

Please note the exact detection mechanism from Abnormal Security's system might include proprietary techniques and methodologies not disclosed here.

Analysis Overview




Credential Theft


Spoofed Email Address
Spoofed Display Name
Masked Phishing Link


Suspended Account

Impersonated Party


Impersonated Brands


See How Abnormal Stops Emerging Attacks

See a Demo