The attack impersonates the recipient’s company, attempting to trick them into scanning an attached barcode and following instructions to fix their account from unspecified problems. The attacker is hoping to gain login credentials from the recipient. The email body provides a step-by-step checklist of actions for the recipient to take and includes language about auto-generation to make the attack appear more legitimate.

Legacy email security tools have trouble detecting this as an attack because the spoofed sender is not immediately seen as malicious, the content of the email appears legitimate, and the attachments do not carry immediately-dangerous payloads. Modern, AI-powered security solutions analyze the content and attachment of the email and flag the unknown sender and domain, correctly identifying this as an attack.

Status Bar Dots
Aug 7 1
Status Bar Dots
Aug 7 2

The attacker attaches an image of a QR code to be used by the recipient for logging into their account.

How Does This Attack Bypass Email Defenses?

This email attack bypasses traditional security solutions for multiple reasons, including the following:

  • Spoofed Sender: The email appears to be sent from a legitimate email address (, which could bypass legacy security systems that only check for known malicious senders.
  • Legitimate-Looking Content: The email content is designed to look like a legitimate multi-factor authentication operation from the company, which could trick both users and basic email security systems.
  • Lack of Malicious Attachments: The email contains attachments with common file types which are not typically associated with malicious activity, allowing the email to bypass security checks that focus on executable or script file types.

How Did Abnormal Detect this Attack?

This attack was detected using AI and ML by analyzing various factors, including the following:

  • Unknown Sender and Domain: The email is sent from a new sender and domain that the company has never received emails from before. Abnormal's AI detected this anomaly and flagged it as suspicious.
  • Suspicious Email Content: Abnormal’s AI analyzes the email content, looking for such suspicious behavior. It uses natural language processing (NLP) to understand the context and intent of the email. In this case, it recognized the pattern of a phishing attack disguised as a multi-factor authentication (MFA) operation and flag it as suspicious.
  • Attachment Analysis: Abnormal’s system analyzes the attachments for potential threats. It uses machine learning algorithms to scan the attachments and detect any hidden malicious code. In this case, even though the file types are common and seemingly harmless, the system still analyzed them and found the QR code leads to a malicious login page.

By recognizing established normal behavior and detecting these abnormal indicators, a modern email security solution has the ability to prevent this attack from reaching inboxes.

Please note the exact detection mechanism from Abnormal Security's system might include proprietary techniques and methodologies not disclosed here.

Analysis Overview




Credential Theft


Masked Phishing Link


Security Update

Impersonated Party

Internal System

AI Generated


See How Abnormal Stops Emerging Attacks

See a Demo