In this likely AI-generated phishing attack, the threat actor poses as FTX Trading Ltd., a bankrupt company that formerly operated a fraud-ridden cryptocurrency exchange, and emails the target a notification regarding their FTX account. The attacker exploits a possibly compromised email account hosted on “mts[.]net”, the legitimate domain of the now-acquired Canadian telecom services company Manitoba Telecom Services (MTS). To increase the appearance of legitimacy, the perpetrator sets the sender display name to “FTX kroll Ltd.”, as FTX appointed restructuring administration firm Kroll to handle all claims during their bankruptcy proceedings. The email informs the recipient that they are eligible to withdraw their digital assets from their account and offers details on the process and timeline. The message instructs the target to use the provided “unique code” and the embedded link to begin their withdrawal. While the anchor text shows the URL as “https://www.ftx[.]com”, the actual destination is a phishing site designed to steal sensitive information, such as login credentials or payment details, or even initiate fraudulent cryptocurrency transactions.

Older, legacy email security tools struggle to accurately identify this email as an attack because it leverages a spoofed email address, includes legitimate links, and uses social engineering tactics. Modern AI-powered email security solutions detect anomalies in the content, the spoofed sender, and the fact the recipient has never communicated with this sender before to correctly mark this email as an attack.

Status Bar Dots
AI FTX Impersonation Fraudulent Withdrawal Email E

How Does This Attack Bypass Email Defenses?

This email attack bypasses traditional security solutions for multiple reasons, including the following:

  • Spoofed Email Address: The email is spoofed to appear as if it is coming from a legitimate source, which could allow it to bypass basic sender verification checks.
  • Legitimate Links: The email includes real URLs to legitimate sites, which will not be flagged by link verification checks used by legacy tools.
  • Social Engineering Tactics: The email's content is crafted to manipulate the target into clicking on the phishing link without questioning its legitimacy. Legacy tools may not be equipped to detect the nuanced language and psychological tactics used in such social engineering attacks.

How Did Abnormal Detect This Attack?

This attack was detected using AI and ML by analyzing various factors, including the following:

  • Content Anomalies: The email’s urgent message about digital asset withdrawals and complex code is flagged by Abnormal’s advanced content analysis algorithms as a common phishing tactic.
  • Spoofed Sender Detection: Abnormal detects and flags discrepancies between the displayed sender information and the actual sender details to identify spoofing attempts.
  • Unknown Sender Consideration: The email is recognized as coming from an unknown sender who has never had communication with the recipient. Abnormal’s platform maintains a communication history and flags deviations from established patterns of interactions.

By recognizing established normal behavior and detecting these abnormal indicators, a modern email security solution has the ability to prevent this attack from reaching inboxes.

Please note the exact detection mechanism from Abnormal Security's system might include proprietary techniques and methodologies not disclosed here.

Analysis Overview




Credential Theft


Spoofed Display Name
Masked Phishing Link


Fake Payment

Impersonated Party


Impersonated Brands

FTX Trading Ltd.

AI Generated


See How Abnormal Stops Emerging Attacks

See a Demo