In this phishing attack, the threat actor impersonates SiriusXM to deceive recipients into believing that their subscription has expired. The email, sent from the spoofed address “info.0112@floatingdust[.]com”, claims that the subscription renewal failed and offers a free 90-day extension through a loyalty program. If the target clicks on the button labeled “RENEW SUBSCRIPTION NOW” they are directed to a landing page designed to appear as a genuine renewal offer from SiriusXM. Should the recipient click the button on this page, they will be redirected to a payment page, the content of which is apparently stolen from an unrelated but legitimate organization. Any information entered into this page, including payment details, will be stolen by the attacker and can be used to initiate fraudulent charges. This attack illustrates the deceptive tactics used by threat actors to exploit the trust associated with well-known service providers like SiriusXM. By mimicking official communication and leveraging a spoofed email address, the attacker aims to convince recipients to divulge sensitive financial information. 

Older, legacy email security tools struggle to accurately identify this email as an attack because it is sent from a spoofed legitimate domain, contains recognizable professional branding, and utilizes social engineering tactics to prompt immediate action from users. Modern, AI-powered email security solutions detect anomalies in the content, recognize that the sender is unknown, and analyze links to correctly mark this email as an attack.

Status Bar Dots
AI Sirius XM Impersonator Fake Cancellation Email E

Email claiming target's SiriusXM subscription has expired

Status Bar Dots
AI Sirius XM Impersonator Fake Cancellation Landing

Fake landing page crafted to appear as legitimate renewal offer

Status Bar Dots
AI Sirius XM Impersonator Fake Cancellation Checkout

Fake checkout page designed to steal sensitive information

How Does This Attack Bypass Email Defenses?

This email attack bypasses traditional security solutions for multiple reasons, including the following:

  • Spoofed Legitimate Domain: The email appears to come from a legitimate address “info.0112@floatingdust[.]com” that might not trigger spam filters focusing on known malicious domains.
  • Professional Branding: The email uses SiriusXM branding and communicates in a style that mimics official messages, making it harder for content-based filters to detect anomalies.
  • Social Engineering Tactic: The content conveys urgency about the subscription expiring, which can prompt immediate user action and bypass filters that do not flag routine subscription notifications.

How Did Abnormal Detect This Attack?

This attack was detected using AI and ML by analyzing various factors, including the following:

  • Content Anomalies: The email’s urgent message about subscription expiration and the prompt to update payment details is flagged by advanced content analysis algorithms as a common phishing tactic.
  • Unknown Sender Consideration: The email is recognized as coming from an unknown sender who has never had communication with the recipient. Abnormal’s platform maintains a communication history and quickly flags deviations from established patterns of sender-recipient interactions.
  • Link Analysis: The link within the email “myftp[.]biz” is scrutinized for its reputation and past activity, raising suspicion given its use in the context of phishing and credential-stealing schemes.

By recognizing established normal behavior and detecting these abnormal indicators, a modern email security solution has the ability to prevent this attack from reaching inboxes.

Please note the exact detection mechanism from Abnormal Security's system might include proprietary techniques and methodologies not disclosed here.

Analysis Overview




Credential Theft


Spoofed Display Name
Masked Phishing Link
Branded Phishing Page


Suspended Account
Account Verification

Impersonated Party


Impersonated Brands


See How Abnormal Stops Emerging Attacks

See a Demo