In this phishing attack, the attacker spoofs an email to impersonate a representative from “PT Federal International Finance,” a legitimate company based in Indonesia. The email falsely claims that a Bitcoin wallet has been funded with 70.4 Bitcoin, equivalent to approximately $3,047,509.25. The email provides a link to a fraudulent website, disguised by instructing the recipient to remove a space in the URL, and includes login credentials for the supposed Bitcoin wallet. The attacker aims to lure the recipient into visiting the fake website, which could require them to input their login credentials, bank account information, or crypto wallet addresses to access the funds. This attack exemplifies threat actors' advanced techniques to exploit the recipient's trust and sense of urgency. By mimicking a legitimate company and presenting a substantial financial incentive, the attacker seeks to compel the recipient to act quickly without verifying the email's authenticity.

Legacy email security tools struggle to accurately identify this email as an attack because it employs spoofed sender information, contains no malicious links, and has no attachments. Modern, AI-powered email security solutions detect the spoofed sender information, analyze links for malicious content, and understand message context to recognize signs of phishing and correctly mark this email as an attack.

Status Bar Dots
April 29th Screenshot

Spoofed email where the threat actor is impersonating a legitimate company.

How Does This Attack Bypass Email Defenses?

This email attack bypasses traditional security solutions for multiple reasons, including the following:

  • Spoofed Sender Information: The attacker uses a spoofed email address, but the email appears to come from a legitimate domain, “fifgroup[.]co[.]id,” making it difficult for legacy tools to detect the deception based on sender information alone.
  • No Clickable Links: The email does not contain direct clickable links. Instead, it provides a URL with a space that the recipient must manually correct, which can bypass URL scanning tools that look for direct links.
  • No Attachments: The email does not contain attachments, often a focus of traditional security tools. Without attachments to scan for malware, the email might not raise immediate red flags.

How Did Abnormal Detect This Attack?

This attack was detected using AI and ML by analyzing various factors, including the following:

  • Spoofed Sender Detection: Abnormal detects and flags discrepancies between the displayed sender information and the actual sender details, identifying spoofing attempts.
  • Link Analysis: Despite the use of a disguised URL, Abnormal performs deep link analysis to understand the URL's true nature and potential to redirect to phishing sites.
  • Contextual Understanding: Abnormal analyzes the context of the message, recognizing the unusual nature of a large Bitcoin transaction and the request to verify account details as potential phishing indicators.

By recognizing established normal behavior and detecting these abnormal indicators, a modern email security solution has the ability to prevent this attack from reaching inboxes.

Please note the exact detection mechanism from Abnormal Security's system might include proprietary techniques and methodologies not disclosed here.

Analysis Overview




Credential Theft


Spoofed Email Address
Masked Phishing Link


Account Verification
Fake Payment

Impersonated Party

External Party - Vendor/Supplier

See How Abnormal Stops Emerging Attacks

See a Demo