This credential phishing attack features a clever impersonation of Microsoft’s OneDrive service. To begin, the attacker spoofs the sender email “no-reply@outlook[.]com,” the legitimate domain Microsoft uses when sending automated update emails to Outlook customers. The email content is an exact replica of a real notification Microsoft OneDrive users receive after they move a large number of files to the recycle bin and includes a button labeled “Go to OneDrive recycle bin,” purportedly linked to the target’s OneDrive account. If the recipient clicks the button to view the deleted files, they are taken to a fake OneDrive login page branded with their company’s logo and auto-populated with their email address. However, the attacker will steal any sensitive information entered into the page.

Older, legacy email security tools struggle to accurately identify this email as an attack because it uses sophisticated email spoofing techniques, lacks malicious attachments, and utilizes social engineering techniques to create a sense of urgency. Modern, AI-powered email security solutions analyze the links, context, and unknown sender to mark this email as an attack correctly.

Status Bar Dots
April 2nd Screenshot 1
Status Bar Dots
April 2nd Screenshot 2

The email links to a fake login page where sensitive information is at risk if entered.

How Does This Attack Bypass Email Defenses?

This email attack bypasses traditional security solutions for multiple reasons, including the following:

  • Email Spoofing: The attacker spoofed the email address to appear as if it was coming from a legitimate source. Legacy security tools often rely on domain names and sender addresses to filter out malicious emails, which can be ineffective against well-crafted spoofing.
  • Lack of Malicious Attachments: Because the attack did not include any obviously malicious attachments (e.g., executables or scripts), it would not trigger security tools that scan for known malware signatures.
  • Social Engineering Techniques: The email's content was carefully crafted to avoid typical phishing indicators, instead using persuasive language that doesn't trigger keyword-based filters.

How Did Abnormal Detect This Attack?

This attack was detected using AI and ML by analyzing various factors, including the following:

  • Link Analysis: Abnormal performs real-time analysis of links contained in emails, including the hosting domain's reputation and the linked page's content, to identify phishing attempts.
  • Context Analysis: Abnormal can analyze the context and intent behind emails. This allows it to identify suspicious requests, such as clicking on a link to restore deleted files, even when the email uses trusted brand names to appear legitimate. 
  • Unknown Sender Analysis: Abnormal analyzes the sender's behavior, such as the fact that this is the first time they have sent an email to the recipient, and identifies this as a potential sign of a phishing attempt.

By recognizing established normal behavior and detecting these abnormal indicators, a modern email security solution has the ability to prevent this attack from reaching inboxes.

Please note the exact detection mechanism from Abnormal Security's system might include proprietary techniques and methodologies not disclosed here.

Analysis Overview




Credential Theft


Spoofed Email Address
Masked Phishing Link


Security Update

Impersonated Party


Impersonated Brands


See How Abnormal Stops Emerging Attacks

See a Demo