The attacker sends a fraudulent voicemail notification email designed to lure the recipient into clicking a link.

• Email mimics a voicemail alert with recipient, date/time, duration, and transcript fields
• A prominent “Play Audio” button serves as the primary call to action
• The voicemail transcript is listed as unavailable, compelling the target to click

After clicking the link, the target is directed to a fake CAPTCHA page that filters out automated security tools.

• Multi-step CAPTCHA includes “Human access check” and “Finish Check” prompts
• The CAPTCHA blocks automated URL crawlers and security sandbox analysis
• Browser fingerprinting identifies and blocks security tools before serving malicious content

The target is presented with a spoofed Microsoft 365 login page that captures credentials and session cookies in real time.

• Tycoon 2FA uses an Adversary-in-the-Middle reverse proxy to intercept authentication data
• Captured session cookies allow attackers to replay sessions and bypass MFA entirely
• Attackers gain full access to the target’s account even with MFA protections enabled

• Tycoon 2FA fingerprints each visitor’s browser to identify and block security sandboxes before serving malicious content.
• The fake CAPTCHA limits automated link crawling and URL analysis, increasing the difficulty for automated detection.
• The email closely mimics a legitimate voicemail notification, making it difficult to distinguish from authentic messages.

For these reasons, traditional security solutions, such as legacy secure email gateways (SEGs), would be less likely to flag this email as a threat.

• Abnormal’s Behavioral AI flagged the never-before-seen sender and unusual email content as anomalies.
• Content analysis and natural language processing recognized urgency cues and financial implications in the message.
• Abnormal identified suspicious URLs that deviated from established communication patterns for the recipient.

By recognizing established normal behavior and detecting these abnormal indicators, a modern email security solution has the ability to prevent this attack from reaching inboxes.

Please note the exact detection mechanism from Abnormal AI’s system might include proprietary techniques and methodologies not disclosed here.