In this credential phishing attack, the threat actor impersonates Amazon and claims the credit card associated with the recipient’s Amazon Prime membership is no longer valid. The email, which is sent from a display name of “Customer Service Prime,” instructs the target to follow the steps in the attached document to resolve the issue. The attached PDF is branded to look like an authentic communication from Amazon and explains the consequences if the target does not use the link embedded in the PDF to update their payment information. However, the link likely leads to a phishing website where login credentials, payment details, or other sensitive information are at risk of being stolen.

Older, legacy security tools struggle to properly identify this email as an attack because the attacker uses a newly registered domain, attaches a benign file type (PDF), and applies social engineering tactics designed to create a sense of urgency. Modern, AI-powered security solutions analyze the domain age, attachments, and email contents to accurately flag this email as an attack.

Status Bar Dots
Attack Library Amazon Phisher Email E
Status Bar Dots
Attack Library Amazon Phisher PDF

The PDF attachment is branded to look similar to authentic Amazon communication.

How Does This Attack Bypass Email Defenses?

This email attack bypasses traditional security solutions for multiple reasons, including the following:

  • Newly Registered Domain: The sender's domain is only 40 days old, which is a common tactic used by attackers to bypass reputation-based filters used by legacy systems.
  • Attachment Type: The email contains a PDF attachment, which is a common file type and may not raise any flags in legacy systems.
  • Social Engineering Tactics: The email uses social engineering tactics, such as urgency and fear, to trick the recipient into opening the attachment. These tactics are often not detectable by legacy systems.

How Did Abnormal Detect This Attack?

This attack was detected using AI and ML by analyzing various factors, including the following:

  • Domain Age Analysis: Abnormal checks the age of the sender's domain. In this case, the attacker is using a newly registered domain, which is a common characteristic of malicious emails.
  • Attachment Analysis: Abnormal analyzes attachments more thoroughly than legacy systems. Even though the attachment is a PDF file, which is not typically associated with malicious payloads, Abnormal can still flag it as potentially suspicious.
  • Content Analysis: Abnormal analyzes the content of the email for signs of phishing or other malicious tactics. In this case, the email uses social engineering tactics to trick the recipient into opening the attachment.

By recognizing established normal behavior and detecting these abnormal indicators, a modern email security solution has the ability to prevent this attack from reaching inboxes.

Please note the exact detection mechanism from Abnormal Security's system might include proprietary techniques and methodologies not disclosed here.

Analysis Overview




Credential Theft


Maliciously Registered Domain
Masked Phishing Link


Account Update

Impersonated Party


Impersonated Brands


See How Abnormal Stops Emerging Attacks

See a Demo