In this likely AI-generated phishing attack, the threat actor impersonates Spotify and emails the target a payment failure notification. Using a spoofed email address hosted on a parked domain, the attacker claims that the music streaming service was unable to process the target’s most recent payment for their subscription and that their account is at risk of service interruption. The recipient is instructed to log into their account using the provided link and update their payment information to ensure continued access. However, should the target click the embedded link, they will be redirected to a phishing site designed to steal sensitive information, such as login credentials or payment details. To increase the appearance of legitimacy, the attacker uses professional language and incorporates Spotify branding into the email. This social engineering tactic exploits common concerns about service continuity and leverages the trusted Spotify brand to manipulate the recipient into providing sensitive information. Additionally, instead of linking directly to the phishing site in the email, the embedded link is hosted on a non-malicious site and redirects to the phishing page, which helps it avoid detection by legacy systems.

Older, legacy email security tools struggle to accurately identify this email as an attack because it originates from a seemingly legitimate email address, employs sophisticated social engineering techniques, and lacks malicious attachments. Modern, AI-powered email security solutions detect anomalies in the content, recognize when sender addresses have been spoofed, and analyze the suspicious link to correctly mark this email as an attack.

Status Bar Dots
SCR 20240705 khjq

Malicious email sent from spoofed address that impersonates a trusted brand to trick targets into providing sensitive information

How Does This Attack Bypass Email Defenses?

This email attack bypasses traditional security solutions for multiple reasons, including the following:

  • Spoofed Email Address: The attacker spoofs a legitimate email address, "projetos@minhacasaprefabricada[.]com", bypassing basic email verification checks and adding perceived authenticity.
  • Social Engineering Tactic: The claim that a recent payment attempt failed and the threat of service interruption creates a sense of urgency that prompts recipients to act without careful scrutiny.
  • Absence of Malicious Attachments: By not including suspicious attachments, the email avoids detection by antivirus and anti-malware systems focused on attachment-based threats.

How Did Abnormal Detect This Attack?

This attack was detected using AI and ML by analyzing various factors, including the following:

  • Content Analysis: Abnormal's content analysis algorithms flag the urgent message about a failed payment and the instruction to update payment information as a common phishing tactic.
  • Spoof Detection: The email is identified as being from a spoofed address, which, combined with the other factors, indicates high suspicion and triggers deeper scrutiny by Abnormal’s systems.
  • Suspicious Link Analysis: The presence of a link that leads to an unfamiliar domain "https://spity.multiscreensite[.]com" is scrutinized by Abnormal’s systems, triggering suspicion and deeper analysis for possible malicious intent.

By recognizing established normal behavior and detecting these abnormal indicators, a modern email security solution has the ability to prevent this attack from reaching inboxes.

Please note the exact detection mechanism from Abnormal Security's system might include proprietary techniques and methodologies not disclosed here.

Analysis Overview




Credential Theft


Spoofed Email Address
Spoofed Display Name
Masked Phishing Link


Account Update
Payment Inquiry

Impersonated Party


Impersonated Brands


AI Generated


See How Abnormal Stops Emerging Attacks

See a Demo