In this credential phishing attack, the threat actor impersonates PayPal and sends the target a notification regarding their account. Using a spoofed email hosted on a legitimate domain for a food delivery service, the attacker claims that an unknown device has attempted to log into the recipient's account, resulting in it being locked to protect their information from online fraud. The target is instructed to log in via the provided link and then follow the instructions to unlock their account. However, should they click on the button labeled “Restore Account”, they will be redirected to a phishing page designed to steal sensitive information. To increase the appearance of legitimacy, the attacker sets the sender display name as “Paypal service” and incorporates PayPal branding into the body of the email. They also insert a fake CAPTCHA test to further the illusion of credibility. By mimicking PayPal’s branding and using an alarming message, the attacker seeks to compel the recipient to act quickly without verifying the email's authenticity. 

Older, legacy email security tools struggle to accurately identify this email as an attack because it originates from a seemingly legitimate email address, lacks malicious attachments, and employs sophisticated social engineering techniques. Modern, AI-powered email security solutions analyze suspicious links, detect anomalies in the content, and recognize the unknown sender to correctly mark this email as an attack.

Status Bar Dots
SCR 20240701 npps 2

Malicious email in which attacker impersonates PayPal and manufactures a sense of urgency

Status Bar Dots

CAPTCHA incorporated into the attack to further increase the appearance of legitimacy

How Does This Attack Bypass Email Defenses?

This email attack bypasses traditional security solutions for multiple reasons, including the following:

  • Spoofed Email Address: The attacker uses a legitimate email address “a@server.foonow[.]com” to spoof PayPal, tricking basic sender verification checks.
  • No Attachments: The email does not contain suspicious attachments that could trigger traditional antivirus or anti-malware scans.
  • Social Engineering Tactic: The email warns of a security issue involving an unknown login attempt, creating a sense of urgency that prompts immediate action, which is often overlooked by simple spam filters.

How Did Abnormal Detect This Attack?

This attack was detected using AI and ML by analyzing various factors, including the following:

  • Link Analysis: The provided link “[.]gt” is scrutinized for its reputation and context, raising suspicion due to its use in a phishing setup and its mismatch with expected PayPal URLs.
  • Unknown Sender Consideration: The email is recognized as coming from an unknown sender who has never had communication with the recipient. Abnormal’s platform maintains a communication history and quickly flags deviations from established patterns of sender-recipient interactions.
  • Content Analysis: The email’s urgent message about an unknown device login attempt and the directive to “Restore Account” is flagged by Abnormal’s content analysis algorithms as a common phishing tactic.

By recognizing established normal behavior and detecting these abnormal indicators, a modern email security solution has the ability to prevent this attack from reaching inboxes.

Please note the exact detection mechanism from Abnormal Security's system might include proprietary techniques and methodologies not disclosed here.

Analysis Overview




Credential Theft


Spoofed Display Name
Masked Phishing Link


Suspicious Account Activity
Security Update

Impersonated Party


Impersonated Brands


See How Abnormal Stops Emerging Attacks

See a Demo