Armorblox is now part of Cisco

Threat Research | 8 min read

American Express: This is a Secure Message from your Attacker


Lauryn Cash
Lauryn Cash

This blog examines a credential phishing attack, which impersonated the brand American Express. The email attack looked like a notification email from American Express, with a link that took victims to a malicious landing page that exfiltrated sensitive PII information.

American Express Credential Phishing Attack

In today’s Blox Tale, we will look into a credential phishing attack that took advantage of a global brand’s reputation and targeted unsuspecting victims of an international nonprofit organization. Attackers took advantage of the loyalty and trust victims have in the brand, American Express, in an attempt to steal confidential information.

The email attack spoofed American Express, a multinational credit card service company. The email attack looked like a legitimate notification email from American Express, that included an attachment informing recipients that an account verification was mandatory; otherwise, the account would be suspended. The main link, within the email attachment message, navigated to a fake American Express-branded landing page that prompted victims to sign in to verify the account.


Mailboxes: More than 16,000 mailboxes

Target: This email attack targeted an international nonprofit organization

Email security bypassed: Google Workspace

Techniques used: social engineering, brand impersonation, spoofed landing page, malicious URL within attachment

The Email

The subject of this email attack read: “Important Notification About Your Account”, creating a sense of urgency within the victim that this email is important and should be opened immediately. Once opened, the email looked like a legitimate email communication from American Express, with the information within the email body including directions on how best to view the secure, encrypted message attached.


Fig 1: Credential phishing email spoofing American Express Brand

The victims of this targeted email attack were prompted to open the attachment in order to view the secure message. Upon opening the attachment, victims were greeted with a message announcing additional verification requirements for the associated account. Urgency was instilled within the victims through the inclusion of the language, “This is your last chance to confirm it before we suspend it”, and a prompt for victims to complete a one-time verification process that was needed as part of a global update from the American Express team.

Fig 2: Malicious email attachment detected by Armorblox NLU and ML models

The language used within this attachment evoked a sense of trust in the victim, with the inclusion of the American Express logo in the top left and a signature that made the message seem to have come from the American Express Customer Service Team.

The Phishing Page

When victims clicked the button within the attached message, they were taken to a fake landing page that looked like an American Express login page. Victims were prompted to log in to his or her American Express account, with User ID and Password credentials.


Fig 3: Spoofed American Express landing page aimed to exfiltrate PII data

Attackers took effort to make this fake landing page look like a legitimate American Express login page. Above we see attackers included the American Express logo and additional navigation links to make it look like this landing page was part of the greater American Express website. Attackers gave victims options to retrieve forgotten login credentials and the landing page even included an ad encouraging the download of the American Express App that mirrored the American Express branding.

Attack Flow

This email attack impersonated a well-known brand, with the intention to create a sense of trust in the victim. Attackers included legitimate logos and company branding across the malicious email and fake landing page, in order to exfiltrate the victims’ sensitive PII data. The socially engineered email was carefully constructed so the victim's curiosity and trust were leveraged, with the goal of exfiltrating sensitive data.


Fig 4: Credential phishing attack flow

The Power of Armorblox

The email attack bypassed native Google Workspace email security controls because it passed both DKIM and SPF email authentication.

Attackers used a valid domain to send this malicious email, with the goal to exfiltrate sensitive PII data. The sender domain received a reputation score of trustworthy and global threat history of zero security events. Google marked this email as safe, which would have delivered it to more than 16,000 users’ mailboxes if it weren’t for Armorblox stopping this attack. Fortunately these end users are protected by Armorblox, who accurately detected this email attack that contained a malicious attachment. Armorblox uses Natural Language Understanding (NLU) to understand the content and context of email communications to provide organizations and end users better protection from these types of targeted, socially engineered email attacks. Armorblox Global ML models detected that the sender of this email was the same as other detected threats that Armorblox stopped, preventing this email attack from ever being delivered to end user mailboxes.

Recap of Techniques Used

This email attack employed a gamut of techniques to get past traditional email security filters and pass the eye tests of unsuspecting victims.

Social engineering: The email title, design, and content aimed to induce a sense of trust and urgency in the victims. Trust was induced by impersonating a well-known brand (American Express) and a sense of urgency through the language used within both the email and the fake landing page. The context of this attack also leverages the curiosity effect, which is a cognitive bias that refers to our innate desire to resolve uncertainty and know more about something.

Brand impersonation: The email and fake landing pages included branding similar to legitimate American Express branding found across communications and the website. The information included within the body of the email attack is similar to legitimate notification email communications, plus the logos used within both the email and landing page are the same in order to try and trick the victim and instill trust.

Guidance and Recommendations

1. Augment native email security with additional controls

The email highlighted in this blog got past native email security. For better protection and coverage against email attacks (whether they’re spear phishing, business email compromise, or credential phishing attacks like this one), organizations should augment built-in email security with layers that take a materially different approach to threat detection. Gartner’s Market Guide for Email Security covers new approaches that vendors brought to market in 2021 as well as Armorblox highlights this in the 2022 Email Security Threat Report, and should be a good starting point for your evaluation.

2. Watch out for social engineering cues

Since we get so many emails from service providers, our brains have been trained to quickly execute on requested actions. It’s much easier said than done but engage with these emails in a rational and methodical manner whenever possible. Subject the email to an eye test that includes inspecting the sender name, sender email address, the language within the email, and any logical inconsistencies within the email.

3. Follow multi-factor authentication and password management best practices

If you haven’t already, implement these hygiene best practices to minimize the impact of credentials being exfiltrated:

  • Deploy multi-factor authentication (MFA) on all possible business and personal accounts.
  • Don’t use the same password on multiple sites/accounts.
  • Use password management software like LastPass or 1password to store your account passwords.

Learn how Armorblox protects your organization from phishing attacks.

Take Product Tour

Experience the Armorblox Difference

Get a Demo