This likely AI-generated payload-based malware delivery attack features an impersonation of Microsoft. The attacker uses a legitimate sending domain, “oleg@svoy[.]es,” as a mask and names the domain “Mail Delivery Service,” a generic but authentic-sounding domain. The content of the email itself is minimal and informs the recipient that one of their contacts has shared a file with them. To increase the appearance of authenticity, the attacker includes a note detailing Microsoft's commitment to user security and privacy. The HTML attachment at the bottom of the email is malware that, if interacted with, will likely infect the recipient’s computer and put sensitive information at risk. 

Older, legacy security tools struggle to identify this email accurately as an attack because of the absence of links in the email body, the attachment type, and the lack of DMARC failure detection. Modern, AI-powered security tools identify the unknown sender domain, the suspicious attachment, and mismatched sender information to flag this email as an attack correctly.

Status Bar Dots
Oct27 Screenshot

How Does This Attack Bypass Email Defenses?

This email attack bypasses traditional security solutions for multiple reasons, including the following:

  • Lack of Body Links: The body of the email does not contain any links. Legacy systems often scan for malicious links, but in this case, there are none to detect.
  • Attachment Type: The email contains an HTML attachment, which is a standard file type and may not raise suspicion in legacy systems.
  • DMARC Failure Not Detected: This message fails the DMARC status check, which can indicate a spoofed email. However, not all legacy systems check DMARC status, so this could be overlooked.

How Did Abnormal Detect This Attack?

This attack was detected using AI and ML by analyzing various factors, including the following:

  • Unknown Sender Domain: Abnormal flags that the domain used to send this email is an unknown domain that the company has never sent messages to in the past. This is a strong sign that the message may not be from a safe source.
  • Suspicious Attachment: The email contains an HTML attachment named “due-payment[.]html.” Abnormal detects that this could potentially contain malicious code.
  • Mismatched Sender Information: The sender’s email does not match the sender's information in the body of the email. The email is from “oleg@svoy[.]es,” but the body of the email is signed by “Microsoft.” Abnormal identifies this discrepancy as a sign of a spoofed email.

By recognizing established normal behavior and detecting these abnormal indicators, a modern email security solution has the ability to prevent this attack from reaching inboxes.

Please note the exact detection mechanism from Abnormal Security's system might include proprietary techniques and methodologies not disclosed here.

Analysis Overview




Malware Delivery


Fake Attachment
Spoofed Email Address


Fake Document

Impersonated Party


Impersonated Brands


AI Generated


See How Abnormal Stops Emerging Attacks

See a Demo