The attacker sends an email from a compromised business account inviting the target to review a project proposal.

• Email sent from a real company domain with a years-long domain history
• Subject line references a project proposal from eShipfinance to appear legitimate
• Message includes a link to a fake "document portal" hosted on Cloudflare Workers

The target clicks the link and lands on a phishing page that displays a real Microsoft device authentication code.

• Cloudflare Workers page mimics a document verification portal requiring identity confirmation
• A real Microsoft device code generated by the attacker's backend is displayed prominently
• The target is instructed to copy the code and continue to Microsoft to sign in

The target pastes the attacker-generated code into the real Microsoft device login page, granting the attacker account access.

• The code is entered at microsoft[.]com/devicelogin, a legitimate Microsoft authentication endpoint
• Because the code is tied to the attacker's OAuth session, Microsoft issues tokens to the attacker
• The target is quietly redirected to adobe[.]com with no indication of compromise

• Sending accounts belong to real companies with established domain histories, earning high trust with email filters.
• Phishing pages are hosted on Cloudflare Workers and authentication occurs on real Microsoft servers, leaving no malicious payload to detect.
• Device code authentication bypasses traditional phishing detection because there is no fake login page or credential harvesting.

For these reasons, traditional security solutions, such as legacy secure email gateways (SEGs), would be less likely to flag this email as a threat.

• Abnormal's Behavioral AI flagged never-before-seen senders and unusual email content as anomalies indicating a novel attack.
• Abnormal's content analysis and natural language processing identified urgency and financial implications as threat indicators.

By recognizing established normal behavior and detecting these abnormal indicators, a modern email security solution has the ability to prevent this attack from reaching inboxes.

Please note the exact detection mechanism from Abnormal AI's system might include proprietary techniques and methodologies not disclosed here.