In this Norwegian-language credential phishing attack, the threat actor poses as a representative from Santander Consumer Bank, a subsidiary of Santander Group, a multinational financial services company. Using a sender name of “Santander Consumer Bank” to appear legitimate and an innocuous-sounding domain name, “metropoliscustomers[.]com” to minimize red flags, the attacker claims the target’s credit card has been temporarily disabled due to the recipient’s failure to verify their identity. To create a sense of urgency, the email states that if the target does not complete the mandatory identity verification within 14 days, their card will be permanently deactivated. Included in the email is a link purportedly to start the verification process. However, if the target clicks the link, they will be taken to a credential phishing website where sensitive information such as login credentials or payment details is at risk of being stolen. 

Older, legacy security tools fail to properly identify this email as an attack because it contains no malware or attachments, comes from an unknown sender, and uses social engineering techniques. Modern, AI-powered email security solutions analyze the content, links, and sending domain to accurately flag this email as an attack.

Status Bar Dots
Attack Library Santander Bank Impersonator Email

How Does This Attack Bypass Email Defenses?

This email attack bypasses traditional security solutions for multiple reasons, including the following:

  • Lack of Malware or Attachments: The email does not contain any attachments or obvious malware, which are common triggers for traditional security tools. 
  • Unknown Sender: The email was sent from an unknown domain and email address that the recipient's company has never received messages from before. Legacy security tools often rely on blacklists of known malicious senders, so they may not flag emails from previously unknown senders or domains.
  • Social Engineering: The attacker uses social engineering techniques, including creating a sense of urgency, to trick the recipient into taking action. These psychological tactics can be very effective but are often not something that legacy security tools are equipped to detect.

How Did Abnormal Detect This Attack?

This attack was detected using AI and ML by analyzing various factors, including the following:

  • Content Analysis: Abnormal analyzes the content of the email to detect subtle signs of phishing attacks, such as the use of social engineering tactics and the creation of a sense of urgency, which were present in this email.
  • Link Analysis: The email contained a link that led to a website not associated with Santander. Abnormal analyzes links in the email body and identifies when they lead to potentially malicious sites.
  • Domain Analysis: The sender's domain was unknown to the recipient's company and the domain age could not be found. Abnormal analyzes these factors to identify potential threats.

By recognizing established normal behavior and detecting these abnormal indicators, a modern email security solution has the ability to prevent this attack from reaching inboxes.

Please note the exact detection mechanism from Abnormal Security's system might include proprietary techniques and methodologies not disclosed here.

Analysis Overview




Credential Theft


Free Webmail Account
Masked Phishing Link


Account Verification

Impersonated Party

External Party - Other



See How Abnormal Stops Emerging Attacks

See a Demo