This credential phishing attack features an impersonation of PayPal, a P2P payments provider, and the utilization of PandaDoc, a document collaboration tool. The email informs the target that a potentially fraudulent transaction on their account has been detected, and a verification process has been initiated to determine the next steps. The language in the attack is designed to create a sense of urgency. It states that if the target does not respond within the next 12 hours, the transaction will be considered legitimate and will be completed. The attacker provides a phone number that the target can call to cancel the purchase in addition to a PandaDoc link, purportedly to the contract the recipient must sign if the purchase is legitimate. If the target calls the number or interacts with the provided link, credentials or other sensitive information are at risk of being stolen.

Because the attacker utilizes PandaDoc’s document-sending service to send the link, the pandadoc[.]net sender domain is legitimate. However, the reply-to address, “wujabyji@lyft[.]live,” is from a maliciously registered domain, and the attacker uses the sender name “PAYPAL DEPT” to impersonate PayPal.

Older, legacy email security tools have difficulty accurately flagging this email as an attack because of the lack of attachments, the use of social engineering techniques, and the unknown domain. Modern, AI-powered email security solutions analyze the sender, reply-to address, and content to correctly identify this email as an attack.

Status Bar Dots
Nov20 Screenshot

How Does This Attack Bypass Email Defenses?

This email attack bypasses traditional security solutions for multiple reasons, including the following:

  • Lack of Attachments: The email does not contain any attachments, which are often a common vector for malware. Legacy security tools often focus on scanning attachments for threats, so an email without attachments might not be flagged as suspicious.
  • Urgency and Fear Tactics: The email uses urgency and fear tactics to pressure the recipient into taking action. This is a common social engineering technique that can bypass technical security measures.
  • Unknown Domain: The email was sent from an unknown domain that the company has never corresponded with in the past. Legacy security tools may not have the capability to track and flag emails from unknown domains.

How Did Abnormal Detect This Attack?

This attack was detected using AI and ML by analyzing various factors, including the following:

  • Sender Analysis: Abnormal checks if the message was sent from an unknown email address that the company has never sent emails to in the past. This is a strong signal of a potential threat.
  • Content Analysis: Abnormal uses natural language processing to analyze the content of the email. The email's content, which asks the recipient to sign a document related to a potentially fraudulent transaction, could be flagged as suspicious.
  • Reply-To Analysis: Abnormal checks the reply-to email address. In this case, the reply-to email “'wujabyji@lyft].]live” is different from the sender email, “docs@transactional.pandadoc[.]net,” and “lyft[.]live’” is a maliciously created domain.

By recognizing established normal behavior and detecting these abnormal indicators, a modern email security solution has the ability to prevent this attack from reaching inboxes.

Please note the exact detection mechanism from Abnormal Security's system might include proprietary techniques and methodologies not disclosed here.

Analysis Overview




Credential Theft


Maliciously Registered Domain
Masked Phishing Link


Suspicious Account Activity
Fake Payment Receipt
Fake Document

Impersonated Party


Impersonated Brands


See How Abnormal Stops Emerging Attacks

See a Demo