This dual credential vishing and fake billing scam features an impersonation of the streaming service Disney+. Using colors and imagery designed to imitate Disney+ branding, the attack appears to be an automated account update from Disney, informing the target of a new Disney+ subscription. The attacker utilizes the domain “mail[.]tv-disney[.]com” to send the attack, which at first glance appears similar to an authentic Disney domain. An attached PDF includes fake subscription information, including the price, invoice number, and payment method, and also includes a fake customer service phone number. The attacker’s goal is to create a sense of urgency and entice the target to call the phone number to inquire about the subscription. From there, sensitive information, such as banking details or login credentials, can be stolen. 

Older, legacy security tools struggle to accurately identify this email as an attack because it uses a new domain and contains neither malicious attachments nor any content that would immediately trigger traditional spam filters. Modern, AI-powered email security solutions analyze the domain age and attachments and detect the unknown sender to correctly flag this email as an attack.

Status Bar Dots
Attack Library Disney Visher Email
Status Bar Dots
Attack Library Disney Visher Invoice

The attacker uses personalized fraudulent invoices to increase the appearance of legitimacy.

How Does This Attack Bypass Email Defenses?

This email attack bypasses traditional security solutions for multiple reasons, including the following:

  • Lack of Malicious Attachments: The email contains a PDF attachment, which is a common file type and not inherently malicious. Legacy security tools often focus on detecting malicious file types or executable files, so they may not flag this email as suspicious.
  • No Obvious Malicious Content: The email does not contain any obviously malicious content or language. It is crafted to look like a legitimate communication from Disney about a subscription payment, allowing it to bypass legacy solutions.
  • New Domain: The sender's domain is five months old and relatively new, which is a common characteristic of domains used for phishing attacks. However, legacy security tools may not take the age of the domain into account when assessing the email's risk.

How Did Abnormal Detect This Attack?

This attack was detected using AI and ML by analyzing various factors, including the following:

  • Domain Age Analysis: Abnormal analyzes the account age of the sender's domain. In this case, the domain is only five months old, which is a common characteristic of domains used for phishing attacks.
  • Attachment Analysis: Abnormal analyzes attachments more thoroughly than legacy systems. Even though the attachment is a PDF file, which is not typically associated with malicious payloads, Abnormal can still flag it as potentially suspicious.
  • Unknown Sender: The email is sent from an unknown domain and email address that the recipient's company has never received messages from before. Abnormal tracks sender information and can flag emails from previously unknown senders.

By recognizing established normal behavior and detecting these abnormal indicators, a modern email security solution has the ability to prevent this attack from reaching inboxes.

Please note the exact detection mechanism from Abnormal Security's system might include proprietary techniques and methodologies not disclosed here.

Analysis Overview




Payment Fraud
Credential Theft


Personalized Email Subject
Maliciously Registered Domain


Fake Invoice

Impersonated Party


Impersonated Brands


See How Abnormal Stops Emerging Attacks

See a Demo