Email is the most popular and convenient way for communication on the Internet. In recent years, a newly developed security threat, namely Advanced Persistent Threats (APTs), has caused losses to many organizations, even including Google. Email is one of the favored attack vector because it is cheap and easy to forge. Attackers usually send the email with the personal relevant information to attract victims to open malicious attachment. In contract to the traditional email attack, spam or warm, these target malicious emails (so called TME) is small in quantity and varies when the receiver is different. The TME sample is hard to collect due to the contained privacy information, so such research is barely discussed. In this paper, we try to discuss how to detect the mimicry malicious email (MME), which is the subset of TME. MME is the mimicking received email in victim’s mailbox to increase the chance for attacks. We observe that MME must has distinguishable attributes for attack so the machine learning can be applied to recognize the features as anomaly. We propose an anomaly detection scheme based on clustering to detect MME. In this work, we assume that MME should be far away from the centroid of the clusters which they belong to, instead, the normal emails are close to the centroid. Our scheme complement conventional clustering based anomaly detection when a few labeled MME samples are collected. Moreover, the accuracy of our scheme can be improved by user feedback, and Genetic Algorithm is applied to find the proper weighting among attributes to generate a new detection model. The detection accuracy of the adjusted model is compared to the classical supervised Naïve Bayes classification. The result shows our work has better performance than the method only employing classification method.