Acquisition-Themed BEC Attack Attempts to Pivot to a Phone Conversation

In this attack, the attacker impersonated a company executive to ask an employee for their help on the supposed acquisition of a foreign company. The attacker referenced “Project R2” as the name of the project and indicated the acquisition is “at the critical final stage” and needs the employee’s help to close the deal. The employee was asked to provide the best phone number the attacker could reach them at, indicating the attacker preferred to pivot to a voice conversation. The email was sent from the impersonated executive’s spoofed email address and the reply-to address was hosted on a domain registered and controlled by the attacker. In addition to the impersonated executive’s name, the display name of the reply-to field also included their email address.

Because the attack is text-based, without any other indicators of compromise, there is little for a secure email gateway to use to determine malicious intent. The spoofed domain did not have an effective DMARC policy in place to reject any unauthorized senders that attempt to send emails from an address on the domain. The domain hosting the attacker’s reply-to email address was valid and had not been previously flagged as being used for malicious purposes.

Natural language processing enables cloud email security solutions to detect the presence of a payment request. Integration with the Microsoft API allows an email security solution to use Active Directory to process the organizational chart and understand VIP emails to know when an executive is being impersonated via display name deception.

Because the sender’s email address was spoofed to impersonate a company executive, an employee receiving the email may instinctively comply with the email since it appears to come from a person of authority. Even though the reply-to address was hosted on a maliciously-registered domain, the use of the impersonated executives name and email address in the display name field may cause inattentive recipients to mistakenly believe the message came from the executive. The attacker was attempting to pivot out of email to an employee’s personal cell phone, which would cause the target’s organization to lose visibility into malicious communications and where they can convince them to make a payment on their behalf. Had the targeted employee comply with the attacker’s request, the company would likely have seen a direct financial loss of some unknown future amount. Given that the payment is likely to be framed as part of an acquisition, chances are good that the requested amount will be high.