This credential phishing attack features an impersonation of Microsoft. Using a legitimate domain as a mask, the threat actor sends an email with an attached PNG file informing the target that their multi-factor authentication (MFA) is expiring and must be updated to continue using Microsoft 365 applications. The image includes a malicious link and QR code, which leads to a cleverly designed fake Microsoft 365 landing page. Branded to look similar to authentic M365 login websites, the target will likely have their credentials or other information stolen if they enter them into the fields on the phishing page. To increase legitimacy, the attacker ensures the target’s email address is already auto-filled on the landing page—another attempt at creating the illusion of an authentic Microsoft product. 

Older, legacy email security tools struggle to correctly identify this email as an attack because it contains a non-executable image file attachment, spoofs a legitimate email domain and uses social engineering techniques involving MFA authentication requirements to create a sense of urgency. Modern, AI-powered email security solutions analyze the attachments while detecting both the spoofing attempt and social engineering techniques used by the attacker to flag this email as an attack accurately.

Status Bar Dots
Dec13 Screenshot 1
Status Bar Dots
Dec13 Screenshot 2

This fake landing page is designed to look like a legitimate Microsoft 365 login page.

How Does This Attack Bypass Email Defenses?

This email attack bypasses traditional security solutions for multiple reasons, including the following:

  • Lack of Malicious Attachments: The email contains an image attachment, a file type not typically used to deliver malicious payloads. Legacy systems might not thoroughly scan such attachments, allowing potentially harmful content to bypass security checks.
  • Spoofing: The email appears to be from a known sender, “jsilver@vertesante[.]com,” which could trick legacy systems that rely on known contacts or allowlists.
  • Social Engineering: The email uses social engineering techniques, such as creating urgency. Legacy systems often struggle to detect such tactics.

How Did Abnormal Detect This Attack?

This attack was detected using AI and ML by analyzing various factors, including the following:

  • Attachment Analysis: Abnormal analyzes attachments more thoroughly than legacy systems. Even though the attachment is an image file, which is not typically associated with malicious payloads, Abnormal can still flag it as potentially suspicious because of the QR code.
  • Spoofing Detection: Abnormal detects spoofing attempts. While the email appears to be from a known sender, the system can identify signs of spoofing, such as discrepancies in the email header or unusual sender behavior.
  • Social Engineering Detection: Abnormal detects social engineering techniques, such as a manufactured sense of urgency. This can help identify phishing attempts or other forms of manipulation.

By recognizing established normal behavior and detecting these abnormal indicators, a modern email security solution has the ability to prevent this attack from reaching inboxes.

Please note the exact detection mechanism from Abnormal Security's system might include proprietary techniques and methodologies not disclosed here.

Analysis Overview




Credential Theft


Spoofed Display Name
Masked Phishing Link


Security Update

Impersonated Party


Impersonated Brands


See How Abnormal Stops Emerging Attacks

See a Demo