In this multi-layered credential phishing attack, the threat actor impersonates a systems administrator at the recipient’s employer and informs the target of needed approvals to permits to prevent service interruption. The short email includes a PNG attachment featuring a Microsoft-branded QR code, which leads to a fake Microsoft landing page where sensitive information is at risk should the recipient engage.

The attacker spoofs a legitimate, four-year-old domain, “,” and names it something similar to what a real administrator would use. To increase perceived authenticity, the attacker also utilizes a Microsoft feature that creates a backup domain as the reply-to address, “,” which at first glance could be mistaken for genuine communications from Microsoft. 

Legacy email security tools can’t correctly identify this email as an attack because of the spoofed email address, attachment type, and unusual sender and reply-to addresses. On the other hand, modern, AI-powered email security solutions analyze the attachment, domain reputation, and content to flag this email as an attack accurately. 

Status Bar Dots
Sep15 Screenshot

How Does This Attack Bypass Email Defenses?

This email attack bypasses traditional security solutions for multiple reasons, including the following:

  • Spoofed Email Address: The email appears to come from the legitimate email address "," which could bypass legacy security tools that only check for known malicious email addresses.
  • Attachment Type: The email contains a PNG attachment. Legacy security tools may not thoroughly scan image files for malicious content, as they are often considered safe.
  • Unusual Sender and Reply-To: The email has an unusual sender and reply-to address. Legacy security tools may not consider these factors when determining the legitimacy of an email.

How Did Abnormal Detect This Attack?

This attack was detected using AI and ML by analyzing various factors, including the following:

  • Attachment Analysis: Abnormal's AI analyzes all types of attachments, including image files. The presence of an image file with a suspicious name contributed to the detection of this attack.
  • Domain Reputation Analysis: Abnormal's AI identifies that the email was sent from an unknown domain, "," that the company has never received messages from in the past. This is a strong signal of a potential attack.
  • Content Analysis: Abnormal's AI uses natural language processing to analyze the content of the email. The warning message, spelling errors, and the unusual sender and reply-to addresses are all signs of an attack.

By recognizing established normal behavior and detecting these abnormal indicators, a modern email security solution has the ability to prevent this attack from reaching inboxes.

Please note the exact detection mechanism from Abnormal Security's system might include proprietary techniques and methodologies not disclosed here.

Analysis Overview




Credential Theft


Content Obfuscation via Image


Security Update

Impersonated Party

Internal System

Impersonated Brands


See How Abnormal Stops Emerging Attacks

See a Demo