In this likely AI-generated attack, the threat actor impersonates a recruitment coordinator and initiates the first phase of a payroll diversion attack. After registering a Gmail account, the attacker sets the display name as the real name of the impersonated employee and emails the HR Director inquiring about the process of updating direct deposit information. The message is free of misspellings and grammatical errors, and the attacker addresses the target by name to increase the appearance of legitimacy. The goal of this initial email is simply to build trust and rapport with the target. Then, once the target replies, the threat actor can move on to the next stage of the attack and provide fraudulent banking details so that future direct deposits will be sent to an account owned by the attacker.

Older, legacy email security tools struggle to accurately flag this email as an attack because it comes from an unknown sender, lacks malicious links or attachments, and uses urgent language to socially engineer the target. Modern, AI-powered email security tools flag the unknown sender, analyze the content, and identify the mismatch between the sender name and sending domain to mark this email as an attack correctly.

Status Bar Dots
March 26th Screenshot

How Does This Attack Bypass Email Defenses?

This email attack bypasses traditional security solutions for multiple reasons, including the following:

  • Unknown Sender: The email comes from an unknown sender email. Traditional security tools often rely on reputation-based systems, flagging emails known to have sent malicious content in the past. A new or unknown sender wouldn't have a negative reputation, allowing the email to bypass these checks. 
  • Lack of Malicious Attachments or Links: The email does not contain any attachments or links, often the focus of traditional security tools. The absence of these elements could allow the email to bypass such checks. 
  • Use of Urgent Language: The attacker uses language that creates a sense of urgency to compel the target to act quickly. Legacy security tools may not be equipped to analyze the context and sentiment of an email's content.

How Did Abnormal Detect This Attack?

This attack was detected using AI and ML by analyzing various factors, including the following:

  • Unknown Sender: The email comes from an unknown sender that the target has never received emails from in the past. Abnormal flags this as suspicious, as it's unusual for a company to receive emails from completely unknown senders. 
  • Content Analysis: Abnormal analyzes the content of the email to detect subtle signs of phishing attacks, such as the use of social engineering tactics and the creation of a sense of urgency, which were present in this email. 
  • Mismatch Between Sender Name and Email Address: The mismatch between the sender name and the generic, unprofessional email address mymail71345r@gmail[.]com is a critical red flag. This inconsistency suggests an attempt to cloak the sender's true identity behind a trusted name, a common strategy in phishing and impersonation attacks.

By recognizing established normal behavior and detecting these abnormal indicators, a modern email security solution has the ability to prevent this attack from reaching inboxes.

Please note the exact detection mechanism from Abnormal Security's system might include proprietary techniques and methodologies not disclosed here.

Analysis Overview


Financial Services Scam




Payroll Diversion


Free Webmail Account


Direct Deposit Payment
Account Update

Impersonated Party

Employee - Other

AI Generated


See How Abnormal Stops Emerging Attacks

See a Demo