In this credential phishing attack, the threat actor takes advantage of a feature in Microsoft 365 Business to send a fake voicemail notification. When a user signs up for a Microsoft 365 Business subscription, they are assigned an email address with a domain that includes “onmicrosoft[.]com”—e.g. username@company.onmicrosoft[.]com. Owners of real businesses generally update the domain to simply username@company[.]com, but, as is the case here, threat actors will keep the address with “onmicrosoft[.]com” since it gives the impression the email is from Microsoft.

Using an email address containing “onmicrosoft[.]com”, the threat actor emails the target a message with an embedded image designed to look like a voicemail notification from Microsoft. The image is linked to a legitimate website but the attacker leverages an open redirect so that if the target clicks on the “Listen to Voice Mail” button, they are first taken to a trusted site before the page quickly reloads to a phishing page. If the target doesn’t notice the redirect and enters their information on the phishing page, it will be stolen by the attacker.

Older, legacy email security tools struggle to accurately flag this email as an attack because it contains legitimate-looking Microsoft assets, uses no malicious payload associated with traditional attacks, and harnesses an authentic Microsoft domain. Modern, AI-powered email security solutions analyze the links, content, and unknown sender to correctly mark this email as an attack.

Status Bar Dots
AL Microsoft Impersonator Open Redirect Phishing Email

How Does This Attack Bypass Email Defenses?

This email attack bypasses traditional security solutions for multiple reasons, including the following:

  • Sophisticated Impersonation Techniques: The attacker's use of a legitimate-looking Microsoft logo and the familiar context of a voicemail notification can easily fool legacy security tools that rely on simpler heuristic or signature-based detection methods. These tools may not be equipped to analyze the context or the subtle cues of impersonation in the content. 
  • Lack of Malicious Payload in the Email: Since the email itself does not contain a traditional malicious payload, such as a virus or malware in an attachment, it can bypass security tools that scan for known malicious file signatures. The attack leverages a deceptive link instead, which may not be flagged by systems that only scan email contents and attachments for threats. 
  • Use of a Legitimate Domain: The attacker utilizes a legitimate "onmicrosoft[.]com" domain to lend credibility to their phishing link, exploiting the trust in Microsoft's branding. This sophisticated technique bypasses traditional security measures that fail to flag the reputable domain as a threat.

How Did Abnormal Detect This Attack?

This attack was detected using AI and ML by analyzing various factors, including the following:

  • Link Analysis: Abnormal analyzes the URL embedded in the "Listen to Voice Mail" button by evaluating the reputation of the linked domain and the content of the landing page to flag it as potentially malicious.
  • Content Analysis: Abnormal analyzes the email's content and context, including the use of the Microsoft logo and the specific call-to-action. This analysis helps detect phishing attempts that might not contain traditional malicious payloads but rely on deception to trick the target into taking action.
  • Unknown Sender Analysis: Abnormal identifies that the email was sent from an unknown domain that the company has never received messages from in the past. This is a strong signal of a potential attack.

By recognizing established normal behavior and detecting these abnormal indicators, a modern email security solution has the ability to prevent this attack from reaching inboxes.

Please note the exact detection mechanism from Abnormal Security's system might include proprietary techniques and methodologies not disclosed here.

Analysis Overview




Credential Theft


Spoofed Display Name
Masked Phishing Link


Fake Voicemail

Impersonated Party


Impersonated Brands


See How Abnormal Stops Emerging Attacks

See a Demo