This multi-layered credential theft attack features an impersonation of the United States Postal Service. The email looks like an automated notification from USPS informing the recipient of an issue with a package delivery due to an incorrect address. The attacker creates a sense of urgency around a potentially delayed or canceled package by impersonating a known entity like the USPS. This social engineering technique can be an effective tactic for credential phishing attacks. The email also includes a link where the recipient can update their information. However, the link leads to a fake USPS landing page where personal information or other credentials are at risk of being stolen if entered into the form, underscoring the complexity of this attack. 

Legacy email security tools have difficulty identifying this as an attack because of the use of legitimate-looking links, the unknown sender domain, and advanced social engineering techniques. Modern, AI-powered email security solutions analyze the content and links in the email along with the return path of the sender's domain to flag this as an attack.

Status Bar Dots
Aug18 Screenshot
Status Bar Dots
Screenshot 2023 08 08 at 12 51 42 PM

The attacker creates a fake USPS landing page linked from the email where sensitive information is likely to be stolen if inputted by the recipient.

How Does This Attack Bypass Email Defenses?

This email attack bypasses traditional security solutions for multiple reasons, including the following:

  • Use of Legitimate-looking Links: The email contains a malicious link to a website landing page that spoofs the USPS. Traditional security tools might not flag these links as suspicious because they lead to real websites.
  • Unknown Sender Domain: The email is from an unknown domain. Traditional security tools might not flag this email as suspicious because they often rely on a history of known malicious senders.
  • Social Engineering Techniques: The email uses social engineering techniques to urge the recipient to click the links by suggesting the recipient's package delivery is at risk. Traditional security tools might not detect this type of psychological manipulation.

How Did Abnormal Detect This Attack?

This attack was detected using AI and ML by analyzing various factors, including the following:

  • Link Analysis: Abnormal's AI analyzes the links included in the email. The links in this email lead to various websites, including "," a phishing site.
  • Content Analysis: Abnormal's AI analyzes the content of the email for signs of phishing and social engineering. In this case, the email's content asks the recipient to update their address for a package delivery, which could be a phishing attempt. The email also uses social engineering techniques by creating a sense of urgency around a potentially delayed or canceled package because of incorrect address details.
  • Return Path Analysis: Abnormal checks the return path domain of the email. In this case, the return path domain "" does not match the sender's email address "info@," which strongly indicates a malicious email.

By recognizing established normal behavior and detecting these abnormal indicators, a modern email security solution has the ability to prevent this attack from reaching inboxes.

Please note the exact detection mechanism from Abnormal Security's system might include proprietary techniques and methodologies not disclosed here.

Analysis Overview




Credential Theft


Branded Phishing Page


Fake Shipping Notification

Impersonated Party

Government Agency

Impersonated Brands


AI Generated


See How Abnormal Stops Emerging Attacks

See a Demo