The Most Interesting Email Attacks We've Caught in 2024 (So Far)

Take a look at five of the most unique and sophisticated email attacks recently detected and stopped by Abnormal.
March 27, 2024

Every day the Abnormal platform detects and stops innumerable email attacks across our more than 2,000 customers. These malicious messages run the gamut from run-of-the-mill to staggeringly sophisticated, and it feels like the ones that fall into that latter category grow increasingly more impressive all the time.

To illustrate just how complex email threats have become in recent years, we’ve curated a list of five of the most interesting email attacks we’ve caught during the last few months.

Capital One Impersonator Creates Authentic-Looking Landing Page in Credential Phishing Attack

In this credential phishing attack, the threat actor attempted to take advantage of the fear related to the cyberattack that targeted Capital One customers in 2023. After spoofing an email account on the domain “idbuffet[.]com”, the attacker sent the target a notification that a hold had been placed on their bank account. To remove the hold, the recipient must review their account using the link embedded in the email. However, if the target clicked on the email, they were redirected to a phishing page.

Capital One Impersonator Email

Attempted credential theft featuring impersonation of Capital One

The perpetrator of this attack incorporated Capital One branding into every aspect of the credential phishing attempt. At a basic level, they changed the sender display name to “Capital One” and included “Capital One” in the subject line. But what made the attack impressive was the mimicry of the Capital One branding in the email itself and, in particular, the phishing page below, which was nearly indistinguishable from the real Capital One login page.

Capital One Impersonator Phishing Page

Phishing page designed to mimic legitimate Capital One login page

Malware Attack Features Impersonation of Attorney and Malicious Attachment Disguised as Subpoena

In this malware attack, the threat actor impersonated an attorney and sent the target a message regarding an ongoing court case. The only body content in the email was a short message requesting that the recipient view the attached document—purportedly a subpoena for documents. Unfortunately, the attachment was actually a malicious script that, if opened, would automatically download on the target’s computer and infect it with malware.

Malware Attack Impersonation Attorney Email

Malware attack in which threat actor posed as a real attorney

To increase the appearance of legitimacy, the attacker impersonated a real, practicing attorney at a Chicago-based firm that works with State Farm Insurance Companies. They also included the real email signature of the impersonated lawyer and used a sender display name of “Blake Jones” in an attempt to appear more authentic. Additionally, the threat actor spoofed the domain “gimnasiokaipore[.]com”, a legitimate domain that is nearly four years old, increasing the likelihood of the message bypassing legacy email security solutions.

Attacker Impersonates PayPal and Uses Spoofed Email on Legitimate Domain to Attempt Credential Theft

The threat actor in this credential phishing attack posed as PayPal and informed the target that due to a lack of response to a prior email regarding suspicious activity, their account had been limited. Included in the message were two links that the recipient could purportedly use to access the PayPal Resolution Center to fix the issue. But if the target clicked on either link and entered their login credentials, they were stolen by the attacker.

Pay Pal Impersonator Email

Credential phishing attack featuring impersonation of PayPal

To bolster credibility, the threat actor included the PayPal logo and attempted to mirror official communications from PayPal. The attacker also created an Outlook account with the username “service.epaiypal” and set the sender display name as “Service@intl[.]paypal[.]com”. Many mobile email clients do not show full email headers, which means if the target viewed the email on their mobile device, they only saw the misleading sender display name. Additionally, using an email address hosted on a legitimate domain reduced the likelihood of the message being flagged as suspicious.

Attacker Uses Compromised Vendor Account to Hijack Conversation and Attempt Payment Fraud

The threat actor in this business email compromise attack hijacked an email thread between a vendor and a customer regarding an invoice payment. After inserting themselves into the conversation, the attacker first inquired about the date of the pending payment and then claimed the vendor’s usual bank account could not currently accept deposits. Once the target replied, the threat actor sent a nearly $900,000 fraudulent invoice along with the banking details for an alternate account to which the attacker requested the payment be sent. However, if the target transferred any funds to this new account, they would be stolen by the threat actor.

Compromised Vendor Payment Fraud Email

Business email compromise attack in which threat actor hijacked an existing thread

To deceive the target, the attacker utilized a look-alike domain that was remarkably similar to the vendor’s legitimate domain and even changed the addresses of the other parties from the impersonated company who were cc’d on the email to the look-alike domain. The threat actor also used a doctored version of a real invoice from the impersonated company to increase credibility and took the time to attach a Microsoft Excel spreadsheet with comprehensive wire transfer instructions.

Vendor Impersonation Attack Utilizes Salesforce Link in Attempt to Obtain Sensitive Information

In this credential phishing attack, the threat actor used a compromised email account to send a malicious file intended to steal sensitive information. After compromising the account of the Director of Operations at a contracting and construction service, the attacker sent the target an email with a Salesforce link embedded in the message, claiming it was a link to shared documents. But if the recipient clicked on the embedded link, an HTML file that is designed to steal sensitive information, including login credentials, would be automatically downloaded.

Vendor Impersonation Attack Salesforce Link Email

Vendor email compromise attack leveraging Salesforce link

The attacker most likely registered for a free trial of Salesforce, which allowed them to access the platform and create the link. And because the attacker used a legitimate email account that had been compromised, the target would have no reason to believe the sender was anyone other than who they claimed to be. The combination of genuine Salesforce links and the real email account increases the likelihood the target will believe the email and its contents are safe and click on the malicious link.

Get Even More Insight into Emerging Attacks

A little over 18 months ago, we launched Abnormal Intelligence—a research and data hub focused on providing insight into new and emerging cyber threats. Abnormal Intelligence is the home to our Attack Library, which is a list of some of the most unique and interesting attacks uncovered by Abnormal.

The Attack Library is updated several times a week, so we invite you to visit Abnormal Intelligence regularly to discover new threats, see the latest tactics, and ensure you’re prepared with the information you need to better protect your organization.

The Most Interesting Email Attacks We've Caught in 2024 (So Far)

See Abnormal in Action

Get a Demo

Get the Latest Email Security Insights

Subscribe to our newsletter to receive updates on the latest attacks and new trends in the email threat landscape.

Get AI Protection for Your Human Interactions

Protect your organization from socially-engineered email attacks that target human behavior.
Request a Demo
Request a Demo

Related Posts

B 07 22 24 MKT624 Images for Paris Olympics Blog
Threat actors are targeting French businesses ahead of the Paris 2024 Olympics. Learn how they're capitalizing on the event and how to protect your organization.
Read More
B Cross Platform ATO
Cross-platform account takeover is an attack where one compromised account is used to access other accounts. Learn about four real-world examples: compromised email passwords, hijacked GitHub accounts, stolen AWS credentials, and leaked Slack logins.
Read More
B Why MFA Alone Will No Longer Suffice
Explore why account takeover attacks pose a major threat to enterprises and why multi-factor authentication (MFA) alone isn't enough to prevent them.
Read More
Learn how Abnormal uses natural language processing or NLP to protect organizations from phishing, account takeovers, and more.
Read More
B DK Compromise 7 11 24
Discover the top five ways hackers compromise accounts, from exploiting leaked API credentials to SIM swapping partnerships, and more. Learn how these techniques enable account takeover (ATO) and pose risks to enterprises.
Read More
B Sans Recap 7 11 24
Discover trends among modern SOC teams, including misaligned budgets, increased automation, unsatisfactory AI tools, staffing issues, and more.
Read More