In this sophisticated payment fraud attack, the threat actor compromises an existing email conversation and attempts to redirect the payment of an invoice. The email appears as a legitimate request to process a revised invoice with updated bank account information for a $1.4M AUD payment. However, the threat actor has doctored the invoice to include banking details for an account they control, which means the attacker will steal any funds transferred to the account. In an attempt to enhance the appearance of legitimacy and also maintain surveillance over the email conversation, the threat actor CC's multiple email addresses from a look-alike domain they likely created specifically for this attack— "rsgxx[.]com" instead of "rsgx[.]com." Along with adding an extra layer of deception, this tactic ensures that even if the attacker is locked out of the compromised email account, they can still monitor the conversation.

Older, legacy email security tools struggle to accurately identify this email as an attack because it is sent from a legitimate-looking email address, uses a look-alike domain, and leverages social engineering techniques. Modern, AI-powered email security tools analyze the content and attachments and detect the look-alike domain to mark this email as an attack correctly.

Status Bar Dots
April 17th Screenshot 1

Legitimate email sent from account owner regarding pending invoice.

Status Bar Dots
April 17th Screenshot 2

Email sent from attacker using compromised account with fraudulent invoice attached.

Status Bar Dots
April 17th Screenshot 3

Invoice from threat actor with attacker-owned bank account details added.

How Does This Attack Bypass Email Defenses?

This email attack bypasses traditional security solutions for multiple reasons, including the following:

  • Legitimate-Looking Email Address and Sender Identity: The use of an email address that appears to be from a legitimate source can easily bypass legacy security tools that rely on simple blacklist-based or domain reputation-based filtering and might not flag the email as suspicious if the domain has not been previously associated with malicious activity.
  • Use of Look-alike Domains: The attackers used look-alike domains, which legacy security tools might not flag as suspicious if they only focus on exact domain matches or are not updated to consider newly registered domains as potential threats.
  • Sophisticated Social Engineering: The content of the email was carefully crafted to mimic legitimate business communication, including a polite tone and a reasonable request. Legacy tools often struggle to analyze the context and intent behind communications.

How Did Abnormal Detect This Attack?

This attack was detected using AI and ML by analyzing various factors, including the following:

  • Content Analysis: Abnormal detects the intent behind an email, allowing it to identify fraudulent requests for payment or changes to financial details, even when the language used is not overly suspicious.
  • Attachment Analysis: Abnormal analyzes attachments within emails for hidden malicious content or anomalies, including subtle indicators of fraud or compromise, such as unusual file types, embedded links, or unexpected changes in document patterns.
  • Look-alike Domain Detection: Abnormal meticulously examines every part of an email, including the CC field, to uncover the use of look-alike domains indicative of BEC attacks.

By recognizing established normal behavior and detecting these abnormal indicators, a modern email security solution has the ability to prevent this attack from reaching inboxes.

Please note the exact detection mechanism from Abnormal Security's system might include proprietary techniques and methodologies not disclosed here.

Analysis Overview




Payment Fraud


Look-alike Domain
External Compromised Account
Modified Document


Account Update
Fake Invoice

Impersonated Party

External Party - Vendor/Supplier

See How Abnormal Stops Emerging Attacks

See a Demo