This credential phishing attack features an impersonation of Microsoft. After spoofing the legitimate domain “epicinternational[.]com”, the threat actor changes the display name to “[Company Name] Portal Maintenance Automated Notification System” and sends the target a message designed to look like an automatic Microsoft 365 password expiration alert. Included in the email is a QR code, which the target can purportedly scan to access their account and update their password. To create a sense of urgency, the attacker claims the recipient’s password is set to expire in five days and that failure to reset their password will cause them to be locked out of their account. The message also claims the QR code will expire in 72 hours. If the recipient scans the QR code, they will be directed to a phishing page where sensitive information such as login credentials is at risk of being stolen.

Older, legacy email security tools struggle to adequately flag this email as an attack because it uses social engineering techniques, comes from an unknown sender, and contains a PNG attachment. Modern, AI-powered email security solutions analyze the attachments and unknown sender while detecting social engineering techniques to correctly mark this email as an attack.

Status Bar Dots
AL Microsoft Impersonator Malicious QR Code Email

How Does This Attack Bypass Email Defenses?

This email attack bypasses traditional security solutions for multiple reasons, including the following:

  • Social Engineering Techniques: The email is disguised as a password expiration notification for employees, a common tactic used to trick recipients into opening attachments or clicking links. Legacy security tools often struggle to detect such sophisticated social engineering tactics.
  • Unknown Sender: The email and domain used to send this message are unknown to the recipient's company. This can make it more difficult for traditional security solutions to identify the email as malicious if it relies on previous interactions with the sender.
  • Attachment Type: The email contains a PNG attachment embedded in the body of the email. Legacy security tools may not thoroughly scan image files for malicious content, as they are often considered safe.

How Did Abnormal Detect This Attack?

This attack was detected using AI and ML by analyzing various factors, including the following:

  • Attachment Analysis: Abnormal analyzes all types of attachments, including image files. In this case, one of the images contained a QR code leading to a credential phishing site.
  • Unknown Sender Analysis: Abnormal identifies that the email was sent from an unknown domain that the company has never received messages from in the past. This is a strong signal of a potential attack.
  • Social Engineering Detection: Abnormal detects sophisticated social engineering tactics. The impersonation of a password expiration notification for employees is a common phishing tactic and would have raised a red flag.

By recognizing established normal behavior and detecting these abnormal indicators, a modern email security solution has the ability to prevent this attack from reaching inboxes.

Please note the exact detection mechanism from Abnormal Security's system might include proprietary techniques and methodologies not disclosed here.

Analysis Overview




Credential Theft


Personalized Email Subject
Spoofed Display Name
Masked Phishing Link


Password Expiration

Impersonated Party


Impersonated Brands


See How Abnormal Stops Emerging Attacks

See a Demo