In this credential phishing attack, the threat actor compromises a genuine email account hosted on a legitimate domain and then sends the target a file-sharing notification. The body of the email is designed to look like a message from Microsoft OneDrive regarding a Microsoft Excel spreadsheet but, in reality, is an image the attacker embedded into the message. While the email body doesn’t include context about the contents of the file, the subject line (“Notice Of Automated Payment”) implies the spreadsheet is related to financial matters. However, if the target clicks on the image to view the file, they will be directed to a credential phishing website where sensitive information is at risk of being stolen.

Older, legacy email security tools struggle to accurately flag this email as an attack because it comes from an established domain, uses social engineering techniques, and lacks malicious attachments. Modern, AI-powered email security tools analyze the links, detect the use of social engineering, and flag the unknown domain to correctly mark this email as an attack.

Status Bar Dots
AL Compromised Email Microsoft One Drive Phishing Email

How Does This Attack Bypass Email Defenses?

This email attack bypasses traditional security solutions for multiple reasons, including the following:

  • Domain Reputation: The email is sent from a domain that was registered nine years ago. Legacy systems often trust older domains and do not flag them as malicious—a flaw attackers can exploit.
  • Social Engineering: The email uses social engineering techniques, a strategy that legacy systems often struggle to detect.
  • Lack of Malicious Attachments: The email contains an attachment, but it's an image file, which is typically considered safe. Legacy systems might not thoroughly scan such files for hidden threats.

How Did Abnormal Detect This Attack?

This attack was detected using AI and ML by analyzing various factors, including the following:

  • Link Analysis: Abnormal analyzes the links included in the attachment. While the link may not already be flagged as dangerous in a database, Abnormal detects other potentially malicious elements.
  • Social Engineering Detection: Abnormal detects social engineering techniques, such as a manufactured sense of urgency, and flags emails with these tactics as malicious.
  • Unknown Sender Domain: Abnormal flags that the domain used to send this email is an unknown domain that the company has never sent messages to in the past. This is a strong sign that the message may not be from a safe source.

By recognizing established normal behavior and detecting these abnormal indicators, a modern email security solution has the ability to prevent this attack from reaching inboxes.

Please note the exact detection mechanism from Abnormal Security's system might include proprietary techniques and methodologies not disclosed here.

Analysis Overview




Credential Theft


Fake Attachment
External Compromised Account
Masked Phishing Link


Fake Document
Fake Payment

Impersonated Party


Impersonated Brands


See How Abnormal Stops Emerging Attacks

See a Demo