In this credential phishing attack, the threat actor impersonates FedEx and emails the target claiming they have a package awaiting delivery. The message informs the recipient that due to unforeseen circumstances, the delivery of the package has been temporarily suspended and the target must use the provided link to reschedule the delivery. However, if the recipient clicks on the “Reschedule Delivery” button, they are redirected to a phishing page owned by the attacker. Any text entered into the page—such as private contact information, login credentials, or payment details—will be stolen by the attacker and can be used to illegally transfer funds or launch additional attacks. The attacker utilizes multiple tactics to increase the appearance of legitimacy, including setting the sender display name as “FedEx Alerts”, including a fake tracking number, and convincingly imitating FedEx branding in the email body. To minimize the telltale signs of a phishing email (e.g. misspellings and poor grammar), the attacker likely also generated the text of the email using AI.

Older, legacy email security tools struggle to properly identify this email as an attack because it is sent using a newly created domain, contains no malicious attachments, and leverages social engineering. Modern, AI-powered email security solutions detect the use of a new domain and social engineering as well as analyze the links to correctly mark this email as an attack.

Status Bar Dots
AI Fed Ex Impersonator Likely AI Generated Phishing Attack Email E

How Does This Attack Bypass Email Defenses?

This email attack bypasses traditional security solutions for multiple reasons, including the following:

  • Newly Created Domain: The sending domain was created 19 months ago, which might not be long enough to be blacklisted by legacy security tools but is also not so new that it would automatically raise red flags. Legacy tools often rely on blacklists that may not be updated in real-time.
  • Lack of Malicious Attachments: The email does not contain any attachments, which are often scanned by legacy security tools for malware. This absence can lead such tools to incorrectly assess the email as safe.
  • Social Engineering: The email employs social engineering tactics by creating a sense of urgency and legitimacy. Legacy tools may not effectively analyze the psychological aspects of phishing content.

How Did Abnormal Detect This Attack?

This attack was detected using AI and ML by analyzing various factors, including the following:

  • Domain Age Analysis: Abnormal considers the age of the domain and its reputation, identifying the domain in this case as potentially suspicious with it being brand new.
  • Social Engineering Detection: Abnormal detects social engineering techniques, such as a manufactured sense of urgency, and flags emails with these tactics as malicious.
  • Link Analysis: Even if the primary phishing attempt is conducted through an image or text, Abnormal can follow links and analyze the destination to detect malicious content.

By recognizing established normal behavior and detecting these abnormal indicators, a modern email security solution has the ability to prevent this attack from reaching inboxes.

Please note the exact detection mechanism from Abnormal Security's system might include proprietary techniques and methodologies not disclosed here.

Analysis Overview




Credential Theft


Masked Phishing Link
Fake Website


Fake Shipping Notification

Impersonated Party


Impersonated Brands


See How Abnormal Stops Emerging Attacks

See a Demo