In this multi-stage vishing attack, the threat actor impersonates the streaming service Peacock and uses likely AI-generated content to email the target a notification that their new monthly subscription will be activated within 24 hours. The message details the automatic renewal of the subscription and prompts the recipient to check an attached invoice for further information. The invoice is personalized with the target’s name and email address and includes a customer support number the recipient is invited to call with any questions. The goal of the email is to convince the target they have an unauthorized pending charge so that they will call the fake number on the invoice to cancel the subscription. Should they call, the threat actor will initiate the second stage of the attack, which is designed to convince the target to reveal sensitive information or unknowingly download malware.

Older, legacy email security tools struggle to accurately identify this email as an attack because it is sent from a legitimate-looking email address, lacks malicious links, and employs social engineering tactics. Modern, AI-powered email security solutions detect anomalies in the content, recognize the unknown sender, and flag the suspicious attachment to correctly mark this email as an attack.

Status Bar Dots
AI Peacock Impersonator Fake Subscription Email E

Malicious email informing target of subscription confirmation

Status Bar Dots
AI Peacock Impersonator Fake Subscription Invoice E

Personalized fraudulent invoice for pending charge

How Does This Attack Bypass Email Defenses?

This email attack bypasses traditional security solutions for multiple reasons, including the following:

  • Legitimate-Looking Email Address: The email comes from a seemingly innocuous AOL address, which may not be flagged as suspicious by basic email filters.
  • Absence of Malicious Links: The email does not contain suspicious links in the body, which helps it avoid detection by link-scanning mechanisms in legacy security tools.
  • Social Engineering Tactics: The claim of an impending subscription activation and automatic renewal creates a sense of urgency that prompts immediate recipient action, which can bypass routine spam filters.

How Did Abnormal Detect This Attack?

This attack was detected using AI and ML by analyzing various factors, including the following:

  • Content Analysis: The email’s urgent message about an impending subscription activation and renewal is flagged by Abnormal’s advanced content analysis algorithms as a phishing tactic.
  • Unknown Sender Consideration: Abnormal detects that the email is sent from an unknown sender who has never communicated with the recipient. Abnormal’s platform maintains a communication history and quickly flags deviations from established patterns of sender-recipient interactions.
  • Suspicious Attachment: The presence of a PDF attachment labeled as an "invoice," which contains a fake customer care phone number, triggers Abnormal’s automated systems to scrutinize and flag the email for potential malicious content.

By recognizing established normal behavior and detecting these abnormal indicators, a modern email security solution has the ability to prevent this attack from reaching inboxes.

Please note the exact detection mechanism from Abnormal Security's system might include proprietary techniques and methodologies not disclosed here.

Analysis Overview


Credential Vishing




Credential Theft


Personalized Email Subject
Free Webmail Account


Fake Invoice
Fake Payment

Impersonated Party


Impersonated Brands


AI Generated


See How Abnormal Stops Emerging Attacks

See a Demo