This multi-layer credential phishing attack features an impersonation of Instagram. The attack begins with an email meant to mimic Instagram’s customer support team, informing the recipient that their account has been reported for copyright infringement. The target is told that they must appeal the decision, or their account will be permanently deleted in 48 hours.

A link to the purported appeal form takes the recipient to a fake landing page designed to look like a security check Instagram has set up to prevent bots from submitting appeals. If the recipient clicks the “Go to Form” button, they will be taken to a fake Instagram login page. If the recipient enters their username and password, it is likely at risk of being stolen. 

Older, legacy email security tools have difficulty accurately identifying this email as an attack because of the unknown sender, lack of attachments, and social engineering techniques. Modern, AI-powered email security solutions detect brand impersonations while analyzing the links and content to flag this email as an attack correctly.

Status Bar Dots
Nov15 Screenshot
Status Bar Dots
Nov15 Screenshot 2

The attacker created a fake security check that includes a link to a fake login page.

Status Bar Dots
Nov15 Screenshot 3

The fake login page is designed to steal credentials from the target.

How Does This Attack Bypass Email Defenses?

This email attack bypasses traditional security solutions for multiple reasons, including the following:

  • Unknown Sender: The email is from an unknown domain and email address that the company has never received messages from before. This can allow the email to bypass legacy security tools that rely on blocklists of known malicious senders.
  • Lack of Attachments: The email does not contain any attachments, which are often a red flag for legacy email security tools. By delivering malicious content through links in the email body instead, the email can bypass security checks focusing on attachments.
  • Social Engineering: The email uses social engineering tactics, such as urgency (threat of account deletion) and authority (claiming to be from Instagram), to trick the recipient into clicking the links. These tactics can be difficult for legacy email security tools to detect.

How Did Abnormal Detect This Attack?

This attack was detected using AI and ML by analyzing various factors, including the following:

  • Content Analysis: Abnormal analyzes the content of the email for signs of phishing or other attacks. In this case, the email contains a threat of account deletion and a request to click on a link, a common tactic in phishing emails.
  • Link Analysis: Abnormal analyzes the links in the email. In this case, the links in the email body were flagged as potentially malicious.
  • Spoofing Detection: Abnormal detects that the email is trying to spoof Instagram, a legitimate company. This is a common tactic in phishing attacks.

By recognizing established normal behavior and detecting these abnormal indicators, a modern email security solution has the ability to prevent this attack from reaching inboxes.

Please note the exact detection mechanism from Abnormal Security's system might include proprietary techniques and methodologies not disclosed here.

Analysis Overview




Credential Theft


Maliciously Registered Domain
Masked Phishing Link
Branded Phishing Page


Legal Matter

Impersonated Party


Impersonated Brands


See How Abnormal Stops Emerging Attacks

See a Demo