In this credential phishing attack, the threat actor poses as UPS and emails the target regarding a failed package delivery. Hiding the true sender identity behind a display name of "UPS," the attacker claims the shipping provider could not deliver the recipient's package and invites them to sign up for UPS My Choice to reschedule the delivery. The entirety of the email content is an embedded image designed to exploit the trust associated with the shipping provider by convincingly mimicking UPS' authentic branding. The pretext of the email (i.e., a failed package delivery) is also intended to manufacture a sense of urgency and compel the recipient to act quickly without verifying the message's authenticity. If the target clicks the "Claim Package" button to reschedule the delivery, they will be redirected to a phishing page to steal sensitive information.

Older, legacy email security tools struggle to accurately identify this email as an attack because it uses a spoofed sender name, is sent from a legitimate sender domain, and contains a phishing link hosted on a newly-created domain. Modern, AI-powered email security solutions detect the spoofed address, analyze the reputation and history of included links, and recognize the unknown sender to mark this email as an attack correctly.

Status Bar Dots
May6th Screenshot

Malicious email enticing recipient to sign up for a fake UPS service to gain access to credentials.

How Does This Attack Bypass Email Defenses?

This email attack bypasses traditional security solutions for multiple reasons, including the following:

  • Sender Name Spoofing: The attacker uses a sender name that appears to be from a legitimate source (UPS), which can easily trick basic email filters that rely on simple sender information checks.
  • Legitimate Sender Domain: Although the sender's domain "@gmx[.]com" is not UPS, it's a well-known mail provider, which legacy tools might not blocklist.
  • Unclassified Domain Link: The link in the email points to a recently created domain, "sofaaa[.]shop", which may not be listed in threat databases that legacy systems query.

How Did Abnormal Detect This Attack?

This attack was detected using AI and ML by analyzing various factors, including the following:

  • Advanced Spoof Detection: Abnormal uses complex algorithms that identify spoofed sender names and analyze patterns suggesting impersonation of well-known brands like UPS.
  • Reputation Analysis: The short domain age and unfamiliarity of “sofaaa[.]shop” as a linked domain can trigger suspicion in Abnormal’s system that constantly updates and checks reputational data.
  • Unknown Sender Consideration: The sender email “no-reply-plssaaz@gmx[.]com” is not recognized as a known contact by the recipient or within the organization, raising alerts based on sender unfamiliarity.

By recognizing established normal behavior and detecting these abnormal indicators, a modern email security solution has the ability to prevent this attack from reaching inboxes.

Please note the exact detection mechanism from Abnormal Security's system might include proprietary techniques and methodologies not disclosed here.

Analysis Overview




Credential Theft


Maliciously Registered Domain
Spoofed Display Name
Masked Phishing Link


Fake Shipping Notification

Impersonated Party


Impersonated Brands


See How Abnormal Stops Emerging Attacks

See a Demo