The Most Interesting Email Attacks We've Caught in 2024 (So Far)

Every day the Abnormal platform detects and stops innumerable email attacks across our more than 2,000 customers. These malicious messages run the gamut from run-of-the-mill to staggeringly sophisticated, and it feels like the ones that fall into that latter category grow increasingly more impressive all the time.

To illustrate just how complex email threats have become in recent years, we’ve curated a list of five of the most interesting email attacks we’ve caught during the last few months.

In this credential phishing attack, the threat actor attempted to take advantage of the fear related to the cyberattack that targeted Capital One customers in 2023. After spoofing an email account on the domain “idbuffet[.]com”, the attacker sent the target a notification that a hold had been placed on their bank account. To remove the hold, the recipient must review their account using the link embedded in the email. However, if the target clicked on the email, they were redirected to a phishing page.

The perpetrator of this attack incorporated Capital One branding into every aspect of the credential phishing attempt. At a basic level, they changed the sender display name to “Capital One” and included “Capital One” in the subject line. But what made the attack impressive was the mimicry of the Capital One branding in the email itself and, in particular, the phishing page below, which was nearly indistinguishable from the real Capital One login page.

In this malware attack, the threat actor impersonated an attorney and sent the target a message regarding an ongoing court case. The only body content in the email was a short message requesting that the recipient view the attached document—purportedly a subpoena for documents. Unfortunately, the attachment was actually a malicious script that, if opened, would automatically download on the target’s computer and infect it with malware.

To increase the appearance of legitimacy, the attacker impersonated a real, practicing attorney at a Chicago-based firm that works with State Farm Insurance Companies. They also included the real email signature of the impersonated lawyer and used a sender display name of “Blake Jones” in an attempt to appear more authentic. Additionally, the threat actor spoofed the domain “gimnasiokaipore[.]com”, a legitimate domain that is nearly four years old, increasing the likelihood of the message bypassing legacy email security solutions.

The threat actor in this credential phishing attack posed as PayPal and informed the target that due to a lack of response to a prior email regarding suspicious activity, their account had been limited. Included in the message were two links that the recipient could purportedly use to access the PayPal Resolution Center to fix the issue. But if the target clicked on either link and entered their login credentials, they were stolen by the attacker.

To bolster credibility, the threat actor included the PayPal logo and attempted to mirror official communications from PayPal. The attacker also created an Outlook account with the username “service.epaiypal” and set the sender display name as “Service@intl[.]paypal[.]com”. Many mobile email clients do not show full email headers, which means if the target viewed the email on their mobile device, they only saw the misleading sender display name. Additionally, using an email address hosted on a legitimate domain reduced the likelihood of the message being flagged as suspicious.

The threat actor in this business email compromise attack hijacked an email thread between a vendor and a customer regarding an invoice payment. After inserting themselves into the conversation, the attacker first inquired about the date of the pending payment and then claimed the vendor’s usual bank account could not currently accept deposits. Once the target replied, the threat actor sent a nearly $900,000 fraudulent invoice along with the banking details for an alternate account to which the attacker requested the payment be sent. However, if the target transferred any funds to this new account, they would be stolen by the threat actor.

To deceive the target, the attacker utilized a look-alike domain that was remarkably similar to the vendor’s legitimate domain and even changed the addresses of the other parties from the impersonated company who were cc’d on the email to the look-alike domain. The threat actor also used a doctored version of a real invoice from the impersonated company to increase credibility and took the time to attach a Microsoft Excel spreadsheet with comprehensive wire transfer instructions.

In this credential phishing attack, the threat actor used a compromised email account to send a malicious file intended to steal sensitive information. After compromising the account of the Director of Operations at a contracting and construction service, the attacker sent the target an email with a Salesforce link embedded in the message, claiming it was a link to shared documents. But if the recipient clicked on the embedded link, an HTML file that is designed to steal sensitive information, including login credentials, would be automatically downloaded.

The attacker most likely registered for a free trial of Salesforce, which allowed them to access the platform and create the link. And because the attacker used a legitimate email account that had been compromised, the target would have no reason to believe the sender was anyone other than who they claimed to be. The combination of genuine Salesforce links and the real email account increases the likelihood the target will believe the email and its contents are safe and click on the malicious link.

A little over 18 months ago, we launched Abnormal Intelligence—a research and data hub focused on providing insight into new and emerging cyber threats. Abnormal Intelligence is the home to our Attack Library, which is a list of some of the most unique and interesting attacks uncovered by Abnormal.

The Attack Library is updated several times a week, so we invite you to visit Abnormal Intelligence regularly to discover new threats, see the latest tactics, and ensure you’re prepared with the information you need to better protect your organization.