In this credential phishing attack, the threat actor impersonates an account executive at The Omni Agency, a small insurance services provider, and emails an executive at a global specialty insurance distributor using either a compromised account or a convincingly spoofed address.

The email claims the sender is using an encrypted email service to protect confidentiality and that the recipient must click the provided link to “unlock” the message. The link is to a Dynamics 365 Customer Voice survey which the attacker has formatted to appear as a notification that the target has received two PDFs to review, along with another link to view the documents. If the target clicks the link embedded in the form, they are redirected to a phishing page designed to look like a Microsoft login screen. This website could potentially download malware onto the recipient's device, steal sensitive information, or lead to other harmful outcomes.

Older, legacy email security tools struggle to correctly identify this email as an attack because it is sent from a trusted domain, lacks obviously malicious payloads, and contains no clear indicators of phishing. Modern, AI-powered email security solutions identify the suspiciously named attachment, analyze the link, and conduct contextual analysis to accurately flag this email as an attack.

Status Bar Dots
Dynamics 365 Customer Voice Phishing Attack Email E
Status Bar Dots
Dynamics 365 Customer Voice Phishing Attack Customer Voice

The attacker used a Dynamics 365 Customer Voice survey to embed a malicious link to a fake Microsoft login page.

Status Bar Dots
Dynamics 365 Customer Voice Phishing Attack Fake Microsoft Login

This fake login page is designed to steal login credentials.

How Does This Attack Bypass Email Defenses?

This email attack bypasses traditional security solutions for multiple reasons, including the following:

  • Domain Reputation: The email is sent from a domain that was registered 13 years ago. Legacy systems often trust older domains and do not flag them as malicious, which attackers can exploit.
  • Legitimate URL: The link included in the email is a Microsoft Dynamics 365 Customer Voice link and is hosted on microsoft[.]com. Legacy solutions may not flag the link as suspicious since the domain is trusted.
  • Absence of Obvious Phishing Indicators: The email does not contain obvious phishing indicators such as requests for personal information or urgent calls to action, which are often used by legacy systems to flag potential phishing emails.

How Did Abnormal Detect This Attack?

This attack was detected using AI and ML by analyzing various factors, including the following:

  • Suspicious Attachment: The email contains an attachment with a suspicious name (NEW PDF DOCUMENT RECEIVED .png). Abnormal's system can identify this as a potential threat, even if the file type is not typically associated with malware.
  • Link Analysis: Abnormal analyzes all links included in an email and can analyze them for potential threats, even if none are flagged by traditional URL blacklists.
  • Contextual Analysis: Abnormal can understand the context of the email content. The narrative about using an encrypted email service to justify the presence of a link is a common tactic used in phishing attacks.

By recognizing established normal behavior and detecting these abnormal indicators, a modern email security solution has the ability to prevent this attack from reaching inboxes.

Please note the exact detection mechanism from Abnormal Security's system might include proprietary techniques and methodologies not disclosed here.

Analysis Overview




Credential Theft


External Compromised Account
Masked Phishing Link


Secure Message

Impersonated Party


Impersonated Brands


See How Abnormal Stops Emerging Attacks

See a Demo