This cleverly designed credential phishing attack features an impersonation of Spotify, informing the recipient of issues regarding their payment method for their Spotify Premium account. The email is written with official-sounding language designed to create a sense of urgency, and the attacker includes a link where the recipient can purportedly update their payment details. To increase legitimacy, the link contained in the email leads to a fake landing page that mimics Spotify’s login page. The attacker’s sender name is “Spotify,” and the subject line includes an official-sounding “Case ID”—similar to authentic customer support messages. These elements combined increase the risk that this email might be mistaken for official Spotify communications, and if the recipient engages, their sensitive information is likely at risk. 

Older, legacy security tools have difficulty correctly flagging this email as an attack because of the spoofed sender, lack of attachments, and advanced social engineering techniques. Modern, AI-powered email security solutions look at the unknown sender domain, mismatched sender information, and the phishing links in the email to accurately identify this email as an attack.

Status Bar Dots
Oct2 Screenshot
Status Bar Dots
Oct2 Screenshot 2

The malicious link from the email leads to a fake Spotify login page where sensitive information is at risk if entered.

How Does This Attack Bypass Email Defenses?

This email attack bypasses traditional security solutions for multiple reasons, including the following:

  • Spoofed Sender: The email comes from the domain “serwismeteo[.]pl,” which is not associated with Spotify, but the content of the email is designed to appear as if it's from Spotify. Traditional security tools may not be able to detect this discrepancy.
  • Lack of Attachments: The email does not contain any attachments, often a focus of traditional security tools looking for malicious files.
  • Social Engineering: The email uses social engineering techniques, including the urgency of losing Spotify Premium and the familiarity of using a well-known brand like Spotify, to trick the recipient into clicking the links. Traditional security tools often overlook these techniques.

How Did Abnormal Detect This Attack?

This attack was detected using AI and ML by analyzing various factors, including the following:

  • Unknown Sender Email: The email used to send this message is an unknown email that the company has never received emails from in the past. This strongly signals Abnormal to flag the email as potentially malicious.
  • Mismatched Sender Information: The email comes from an address that does not match the content of the email. The content is about Spotify, but the sender's email is from “serwismeteo[.]pl,” which is not associated with Spotify. Abnormal detects this mismatch.
  • Phishing Links in Body: The email contains links that lead to potentially malicious websites. Abnormal checks the safety of these links and flags them as potential threats.

By recognizing established normal behavior and detecting these abnormal indicators, a modern email security solution has the ability to prevent this attack from reaching inboxes.

Please note the exact detection mechanism from Abnormal Security's system might include proprietary techniques and methodologies not disclosed here.

Analysis Overview




Credential Theft


Spoofed Display Name


Account Update

Impersonated Party


Impersonated Brands


See How Abnormal Stops Emerging Attacks

See a Demo