The target receives an email impersonating an internal e-signature portal, urging them to sign a salary compensation document.

• Email appears to be from “Internal-Esignature-Portal” with a reply-to address at an external domain
• References “Salary compensation 2026-February.pdf” and cites People Operations as the requester
• Creates urgency with a due date and includes a “Review sign” call-to-action button

Clicking the link directs the target to a legitimate Microsoft login URL that processes a deliberately malformed OAuth request.

• The URL points to login.microsoftonline[.]com, making it appear trustworthy to both users and security tools
• Uses the prompt=none parameter to silently skip the OAuth consent screen entirely
• The redirect URI in the OAuth request points to an attacker-controlled domain hosting malicious content

Microsoft’s OAuth system evaluates the request, encounters a forced error, and redirects the browser to the attacker’s registered URI.

• No password is entered, no token is stolen, and no consent dialog is ever displayed
• The target sees only a brief flash of the Microsoft URL before landing on the malicious site
• The final destination hosts phishing pages or delivers a malicious file download to the target

• The phishing link uses a legitimate Microsoft OAuth URL, making it appear trustworthy to URL-based detection systems.
• The OAuth flow is designed to fail silently, so no consent dialog appears for identity controls to intercept.
• No credentials or tokens are exchanged during the redirect, leaving no suspicious authentication activity to flag.

For these reasons, traditional security solutions, such as legacy secure email gateways (SEGs), would be less likely to flag this email as a threat.

• Abnormal’s Behavioral AI flagged the never-before-seen sender and unusual email content as anomalies.
• Content analysis and natural language processing identified urgency cues and financial implications in the message.
• URL analysis detected anomalous link structures that deviated from established patterns of normal communication.

By recognizing established normal behavior and detecting these abnormal indicators, a modern email security solution has the ability to prevent this attack from reaching inboxes.

Please note the exact detection mechanism from Abnormal AI's system might include proprietary techniques and methodologies not disclosed here.