In this likely AI-generated phishing attack, the threat actor impersonates global shipping provider DHL and emails the target a fraudulent delivery notification. The attacker uses a spoofed email address and sets the sender display name to “Parcel notification-DHL” to appear more legitimate. They also convincingly impersonate DHL’s branding, incorporating the company’s logo and colors into the email content. The message, which is free of obvious misspellings or grammatical errors, claims DHL was unable to deliver the target’s package because their shipping address could not be located. To resolve the issue, the email requests that the recipient update their delivery address and pay a re-delivery fee of €2.99 using the provided link. However, should the target click the link, they will be redirected to a phishing website designed to steal sensitive information, including payment details.

Older, legacy email security tools struggle to accurately identify this email as an attack because it comes from a spoofed email address, contains links that appear legitimate, and employs social engineering tactics that ask the recipient to act with urgency. Modern, AI-powered email security solutions detect anomalies in the content, recognize the message comes from an unknown sender, and analyze the suspicious link to mark this email as an attack correctly.

Status Bar Dots
AI DHL Impersonation AI Generated Phishing Email E

How Does This Attack Bypass Email Defenses?

This email attack bypasses traditional security solutions for multiple reasons, including the following:

  • Spoofed Email Address: The attacker uses a spoofed email address, which appears legitimate and can bypass basic sender verification checks.
  • Legitimate-Looking Links: The email includes real-looking URLs, which can pass through link verification checks because they appear to be legitimate.
  • Social Engineering Tactics: The claim of a missed delivery and the need for a quick address update create a sense of urgency, prompting swift recipient action without careful scrutiny.

How Did Abnormal Detect This Attack?

This attack was detected using AI and ML by analyzing various factors, including the following:

  • Content Analysis: The email’s urgent message about updating a delivery address and paying a re-delivery fee is flagged by advanced content analysis algorithms as a common phishing tactic.
  • Unknown Sender Consideration: The email is recognized as coming from an unknown sender who has never communicated with the recipient. Abnormal’s platform maintains a communication history and quickly flags deviations from established patterns of sender-recipient interactions.
  • Suspicious Link Analysis: The presence of a link that directs the recipient to update their address and pay a fee triggers Abnormal’s systems to scrutinize and flag the email for potentially malicious content.

By recognizing established normal behavior and detecting these abnormal indicators, a modern email security solution has the ability to prevent this attack from reaching inboxes.

Please note the exact detection mechanism from Abnormal Security's system might include proprietary techniques and methodologies not disclosed here.

Analysis Overview




Credential Theft


Spoofed Email Address
Spoofed Display Name
Masked Phishing Link


Fake Shipping Notification

Impersonated Party


Impersonated Brands


AI Generated


See How Abnormal Stops Emerging Attacks

See a Demo