The target receives a legitimate-looking Microsoft Power BI email claiming a subscription payment was processed via PayPal.

• Email references a specific transaction ID, dollar amount ($1,063.55), and a support phone number
• Message is sent through Microsoft's authentic Developer Program invitation workflow
• Email warns of an auto-debit to PayPal, creating urgency to call the listed number

The target calls the support number and reaches a threat actor posing as a legitimate helpdesk representative.

• Attacker impersonates a PayPal support agent to build trust with the target
• Attacker "verifies" the target's identity using scripted social engineering techniques
• Phone-based interaction moves the attack chain outside of email security controls

The attacker instructs the target to visit a fake "PayPal Connect" website and download a remote support application.

• Target is directed to a fraudulent site designed to mimic a legitimate PayPal support portal
• The "remote support tool" offered for download is actually AnyDesk, a remote access application
• Once installed, the attacker gains remote control of the target's device

• The malicious action chain occurs over a phone call, completely evading link scanning and sandboxing.
• Threat actors exploit Microsoft's legitimate Developer Program workflow to generate authentic emails.
• The email itself contains no malicious links or payloads, only a phone number for the target to call.

For these reasons, traditional security solutions, such as legacy secure email gateways (SEGs), would be less likely to flag this email as a threat.

• Abnormal's Behavioral AI flagged the never-before-seen sender and unusual email content as anomalies.
• URL analysis identified unfamiliar links that deviated from expected communication patterns.
• Content analysis recognized urgency and financial language as indicators of a financial-themed attack.

By recognizing established normal behavior and detecting these abnormal indicators, a modern email security solution has the ability to prevent this attack from reaching inboxes.

Please note the exact detection mechanism from Abnormal AI's system might include proprietary techniques and methodologies not disclosed here.