In this likely AI-generated malware attack, a threat actor impersonates health food brand Juice From the RAW and contacts the Director of Technology at an Idaho-based school. To appear legitimate, the attacker uses the spoofed email “sales@russellvilleschools.onmicrosoft[.]com,” which references a different school district. The email claims to confirm a request for home services and informs the target that a payment for said services in the amount of $1,500 has been received. Attached to the email is a file the recipient would presumably believe is related to the referenced transaction. However, in reality, the attachment is a malicious file, which, if opened, is likely to infect the target’s computer with malware.

Older, legacy email security tools struggle to accurately identify this email as an attack because it originates from a seemingly legitimate email address, employs sophisticated social engineering techniques and lacks malicious links in the body of the email. Modern, AI-powered email security solutions recognize that the sender is unknown to the recipient, detect suspicious attachments, and recognize the questionable reputation of the sending domain to correctly mark this email as an attack.

Malicious email sent from spoofed address that uses social engineering tactics to trick targets into providing sensitive information.

How Does This Attack Bypass Email Defenses?

This email attack bypasses traditional security solutions for multiple reasons, including the following:

  • Spoofed Email Address: The attacker uses a legitimate email address, “sales@russellvilleschools.onmicrosoft[.]com,” to impersonate Juice From the RAW, bypassing basic sender verification checks.
  • Social Engineering Tactic: The email discusses a supposed payment and attaches a malicious file posing as an invoice, creating a sense of urgency that prompts the recipient to open the attachment without careful scrutiny.
  • No Malicious Links in Body: The email does not include suspicious links that can be detected by legacy tools; instead, an attachment is used to deliver the payload.

How Did Abnormal Detect This Attack?

This attack was detected using AI and ML by analyzing various factors, including the following:

  • Unknown Sender Consideration: The email is recognized as coming from an unknown sender who has never communicated with the recipient before. Abnormal’s platform maintains a communication history and quickly flags deviations from established patterns of sender-recipient interactions. 
  • Suspicious Attachment: The presence of an HTML attachment triggers Abnormal’s automated systems to scrutinize and flag the email for potential malicious content designed to compromise the recipient’s system.
  • Reputation Analysis: The suspicious nature of the sending domain “russellvilleschools.onmicrosoft[.]com” and the mismatch with the purported sender (Juice From the RAW) raise red flags during reputation checks.

By recognizing established normal behavior and detecting these abnormal indicators, a modern email security solution has the ability to prevent this attack from reaching inboxes.

Please note the exact detection mechanism from Abnormal Security's system might include proprietary techniques and methodologies not disclosed here.

Analysis Overview




Malware Delivery


Fake Attachment
Spoofed Email Address
Spoofed Display Name


Fake Invoice
Fake Payment

Impersonated Party


AI Generated


See How Abnormal Stops Emerging Attacks

See a Demo