In this credential phishing attack, the attacker sends a malicious message designed to appear as a Microsoft Teams voicemail notification. Using a free email account created on Web[.]de, a German email service provider, and a sender display name of “Call Service,” the threat actor informs the target that they have a new voice message. The email, which the attacker has crafted to strongly resemble legitimate communications from Microsoft, includes a QR code that the sender claims the recipient can scan to listen to the voicemail. However, if the target interacts with the QR code, they will likely be taken to a credential phishing website where sensitive information, including login details, is at risk of being stolen.

Older, legacy email security tools struggle to properly identify this email as an attack because it lacks malicious links, includes a QR code, and is sent from a new sender domain. Modern, AI-powered email security solutions detect the use of social engineering, analyze the unknown sender, and spot the malicious QR code to correctly flag this email as an attack.

Status Bar Dots
AL Microsoft VM Impersonation Email

How Does This Attack Bypass Email Defenses?

This email attack bypasses traditional security solutions for multiple reasons, including the following:

  • Lack of Malicious Links: The email does not contain any links, which are often a key indicator for legacy security tools to flag an email as potentially malicious. Instead, the attacker uses a QR code, which leads to a credential phishing site.
  • QR Code Usage: The email instructs the recipient to scan a QR code to listen to the supposed voice message. This is a relatively new tactic in phishing attacks and may not be something that legacy security tools are equipped to handle.
  • New Sender Domain: The email comes from a new and unknown sender domain. Traditional security tools often rely on reputation-based systems, flagging emails from domains known to have sent malicious content in the past. A new or unknown domain wouldn't have a negative reputation, allowing the email to bypass these checks.

How Did Abnormal Detect This Attack?

This attack was detected using AI and ML by analyzing various factors, including the following:

  • Social Engineering Detection: Abnormal detects sophisticated social engineering tactics. It can identify the deceptive practices used in the email, such as mimicking a common notification format and creating a sense of urgency.
  • Unknown Sender Analysis: Abnormal analyzes the behavior of the sender, such as the fact that this is the first time they have sent an email to the recipient, and identifies this as a potential sign of a phishing attempt.
  • QR Code Analysis: Abnormal analyzes the QR code included in the email for potential threats, providing a level of protection beyond what legacy systems offer.

By recognizing established normal behavior and detecting these abnormal indicators, a modern email security solution has the ability to prevent this attack from reaching inboxes.

Please note the exact detection mechanism from Abnormal Security's system might include proprietary techniques and methodologies not disclosed here.

Analysis Overview




Credential Theft


Spoofed Display Name
Masked Phishing Link


Fake Voicemail

Impersonated Party


Impersonated Brands


See How Abnormal Stops Emerging Attacks

See a Demo