This attack attempts wire transfer fraud, with the attacker sending an updated invoice with new banking information in the hopes of redirecting a $45,000 invoice. Because the email account has been compromised, it appears to come from the original sender, and the attacker cc’s two lookalike domains in an attempt to maintain credibility. In the lookalike domains, the attacker leaves out a “c” in the email address. 

The email references past interactions and includes plausibly realistic attachments, making it difficult for legacy email security tools to detect it as an attack. Next-generation email security solutions utilize heuristics-based detection capabilities and URL and attachment analysis to accurately detect this attack. 

Status Bar Dots
7 1

How Does This Attack Bypass Email Defenses?

This email attack bypasses traditional security solutions for multiple reasons, including the following:

  • Legitimate email address and domain: The email address and domain are considered known to the targeted company, which means they may have interacted in the past, which adds credibility.
  • Detailed and contextually relevant content: The email references past interactions, invoicing, and candidate recruitment, which creates contextual legitimacy. The sender also uses specific names and positions related to the targeted organization, making it seem more genuine.
  • Use of seemingly legitimate attachments: The attack uses an attached invoice document with no malicious code, making the email appear more legitimate. 

How Can This Attack Be Detected?

This attack was detected using AI and ML by analyzing various factors, including the following:

  • Heuristics-based detection: Specific characteristics and patterns commonly associated with phishing emails, such as urgency or requests for sensitive information are identified. This attack was flagged due to the attacker asking for updated banking details.
  • CC email analysis: AI-powered email security solutions use natural language processing techniques and machine learning models to identify unusual behaviors in cc’d emails, such as unknown email addresses and lookalike domains.
  • Attachment analysis: Assessing the nature of the attached files to identify any malicious content or unusual file types, since an AI system has the capability to identify suspicious patterns and keywords present in the document. In this case, the attachment referenced updated payment details.

Safeguarding inboxes from this attack is achievable through a modern email security solution that recognizes known normal behavior and detects various abnormal indicators.

Please note the exact detection mechanism from Abnormal Security's system might include proprietary techniques and methodologies not disclosed here.

Analysis Overview




Payment Fraud


External Compromised Account


Fake Payment

Impersonated Party

External Party - Vendor/Supplier

See How Abnormal Stops Emerging Attacks

See a Demo