In this credential phishing attack, the threat actor impersonates PayPal and informs the target that their account has been flagged for missing information. The email states that new information must be provided to comply with legislation and company policies. The threat actor uses the sender name of "PayPal" and incorporates PayPal's colors and branding into the email to increase the appearance of authenticity. To improve the likelihood of the message being successfully delivered, the attacker spoofs the legitimate domain "delivery[.]com". While the message does not specify which information is missing, it does provide the target with a link purportedly to PayPal's "Resolution Center" and a notice that if the requested information isn't submitted within 24 hours, their account may be closed. However, the included link is a masked phishing link that likely leads to a fake landing or login page, which means any information entered into the page, such as payment details or login credentials, will be stolen.

Older, legacy email security tools struggle to accurately identify this email as an attack because it contains no malware or suspicious attachments, uses social engineering techniques, and links to an external site. Modern AI-powered email security solutions look at the sender's reputation, analyze the links, and conduct content analysis to appropriately flag this email as an attack.

Status Bar Dots
Jan17 Screenshot

How Does This Attack Bypass Email Defenses?

This email attack bypasses traditional security solutions for multiple reasons, including the following:

  • Lack of Malware or Suspicious Attachments: Legacy security tools often rely on detecting malware or suspicious attachments. In this case, the email contains no attachments, making it harder for such tools to flag it as malicious.
  • Sense of Urgency: The email creates a sense of urgency, stating that the recipient's account may be closed if they don't act within 24 hours. This psychological tactic can often lead recipients to act before considering the email's legitimacy and is not something legacy tools can easily detect.
  • Link to External Site: The email contains a link to an external site where the phishing attack actually takes place. Legacy security tools may be unable to follow and analyze the content of external links.

How Did Abnormal Detect This Attack?

This attack was detected using AI and ML by analyzing various factors, including the following:

  • Sender Reputation: Abnormal checks if the sender name and email address have been used to send emails to the recipient in the past. In this case, both the sender's name and email address are unknown to the recipient, which is a strong sign of a phishing attempt.
  • Link Analysis: Abnormal analyzes the links in the email. The link in this email leads to a non-PayPal website, which strongly indicates a phishing attempt.
  • Content Analysis: Abnormal analyzes the content of the email for signs of phishing. In this case, the content includes a sense of urgency and a request for the recipient to update their account information, typical of phishing emails.

By recognizing established normal behavior and detecting these abnormal indicators, a modern email security solution has the ability to prevent this attack from reaching inboxes.

Please note the exact detection mechanism from Abnormal Security's system might include proprietary techniques and methodologies not disclosed here.

Analysis Overview




Credential Theft


Spoofed Display Name
Masked Phishing Link


Account Verification
Security Update

Impersonated Party


Impersonated Brands


See How Abnormal Stops Emerging Attacks

See a Demo