This credential phishing attack features an impersonation of the popular retail investing service Robinhood. The attacker informs the recipient that a withdrawal from Robinhood to their checking account has been initiated and provides two links: one the recipient can use to view the transaction and another to cancel the transaction.

The email is short, uses professional-sounding language, and includes official-looking legal disclosures at the bottom to appear more legitimate. The attacker also uses a different domain that features the word “Robinhood.” While the message is malicious, the recipient might mistake it for authentic communications from Robinhood at a glance. Should the recipient engage with this email, sensitive information, including login credentials and account details, is at risk. 

Older, legacy security tools struggle to accurately identify this email as an attack because of the spoofed email address and the lack of malicious attachments or known malicious links. Modern, AI-powered email security solutions analyze the links and the domain reputation while detecting social engineering techniques to flag this email as an attack.

Status Bar Dots
Sep18 Screenshot

How Does This Attack Bypass Email Defenses?

This email attack bypasses traditional security solutions for multiple reasons, including the following:

  • Spoofed Email Address: The email appears to be from Robinhood, a well-known financial services company. However, the sender's email address is not from the official Robinhood domain but a spoofed domain closely resembling it. Legacy email security tools may not be able to detect this subtle difference.
  • Lack of Malicious Attachments: The email contains an attachment. However, it's an image file that is less likely to be flagged as malicious by legacy security tools than executable files or scripts.
  • Lack of Known Malicious Links: The email contains a Bitly link, a popular URL-shortening service. Since this is a legitimate service, legacy security tools may not flag the link as malicious, even though it could redirect to a malicious site.

How Did Abnormal Detect This Attack?

This attack was detected using AI and ML by analyzing various factors, including the following:

  • Link Analysis: Abnormal analyzes the Bitly link in the email body and can identify if it redirects to a malicious site—even if the link is from a legitimate URL shortening service.
  • Domain and Email Reputation: Abnormal maintains a database of known domains and emails. Because the sender's domain and email are unknown to the recipient and have never been used in past communications, Abnormal flags the email as suspicious.
  • Social Engineering Detection: Abnormal's AI system detects the social engineering tactics used in the email, such as creating a sense of urgency and fear.

By recognizing established normal behavior and detecting these abnormal indicators, a modern email security solution has the ability to prevent this attack from reaching inboxes.

Please note the exact detection mechanism from Abnormal Security's system might include proprietary techniques and methodologies not disclosed here.

Analysis Overview




Credential Theft


Masked Phishing Link


Fake Payment Receipt

Impersonated Party


Impersonated Brands


See How Abnormal Stops Emerging Attacks

See a Demo