In this credential phishing attack, a threat actor compromises the email account “admin@emperorsacademy[.]com,” then sends an email posing as UPS, with language and formatting that mimic authentic communications from the shipping provider. The email informs the target that the company is having difficulty verifying their shipping address and cannot dispatch their package unless the recipient confirms their address using the provided link. However, if the recipient clicks on the link, they will likely be redirected to a branding phishing page where sensitive information is at risk.

Older, legacy email security tools struggle to accurately detect this email as an attack because of the compromised sender, redirecting links, and lack of attachments. Modern, AI-powered email security solutions identify the unknown sender domain, inspect the destination of the embedded links, and analyze the content to flag this email as an attack correctly.

Status Bar Dots
Nov6 Screenshot

How Does This Attack Bypass Email Defenses?

This email attack bypasses traditional security solutions for multiple reasons, including the following:

  • Compromised Sender: The email comes from an address, “admin@emperorsacademy[.]com,” that is not associated with UPS—the company it's pretending to be. Legacy security tools may not have the capability to detect the compromise.
  • Redirecting Links: The email contains multiple links that redirect to different URLs and could potentially lead to malicious websites. Legacy security tools may not be able to analyze and flag such links.
  • Lack of Attachments: The email does not contain any attachments, often a focus of legacy security tools. By using embedded links instead of attachments, the attacker can bypass security checks related to malicious file detection.

How Did Abnormal Detect This Attack?

This attack was detected using AI and ML by analyzing various factors, including the following:

  • Unknown Sender Domain and Email: The domain and the email used to send this message are unknown to the company. Abnormal tracks and flags unknown domains and emails as potentially malicious.
  • Redirecting Links: The email contains multiple links that redirect to different URLs. Abnormal flags these links if they lead to malicious websites.
  • Content Analysis: The content of the email asks the recipient to re-enter their information and submit payment online—a common tactic used in phishing attacks. Abnormal analyzes the content of the email and detects such phishing attempts.

By recognizing established normal behavior and detecting these abnormal indicators, a modern email security solution has the ability to prevent this attack from reaching inboxes.

Please note the exact detection mechanism from Abnormal Security's system might include proprietary techniques and methodologies not disclosed here.

Analysis Overview




Credential Theft


External Compromised Account
Branded Phishing Page


Fake Shipping Notification

Impersonated Party


Impersonated Brands


See How Abnormal Stops Emerging Attacks

See a Demo