Using a compromised vendor account, an attacker hijacks an existing email thread and attempts to reroute a large invoice payment of $132,000. To appear credible, the attacker cc’s two email addresses with lookalike domains in the hopes of staying connected on the thread, since the attacker also has access to the lookalike domains. The lookalike domain adds an l to, making it, which is unlikely to be detected by a user quickly scanning the email thread.

Legacy email tools have trouble identifying this as an attack because the email’s domain age is nearly nine years old and there is a lack of identifying employee information in the email header. Advanced, AI-powered security tools evaluate domain reputation, cross-reference employee names with existing databases, and analyze links to successfully flag this as an attack.

Status Bar Dots
132k invoice 1

This legitimate email from an accounting department outlines the line items for a $132,000 invoice.

Status Bar Dots
132k invoice 2

A week later, the attacker, posing as an employee from, cc’s two lookalike domains ( in an attempt to embed themselves and redirect the invoice.

How Does This Attack Bypass Email Defenses?

This email attack bypasses traditional security solutions for multiple reasons, including the following:

  • Domain Age: The sender's domain age is nearly 10 years old, which can make the domain seem more reliable and harder for legacy systems to flag as suspicious.
  • FQDN Rarity: The fully qualified domain name (FQDN) used to send this email is a known domain, making it challenging for traditional email security systems to flag such messages as suspicious.
  • Unknown Employee Titles: The title of the employee who appears to have sent this message is empty, indicating no match from the employee database. This lack of information could potentially bypass the scrutiny of conventional security solutions.

How Does Abnormal Detect This Attack?

This attack was detected using AI and ML by analyzing various factors, including the following:

  • Domain Reputation: By evaluating the domain age and the known communication history with the sender's domain, potential risks can be identified, which in this case include rerouting a large invoice.
  • Employee Database Matching: The sender's display name can be cross-referenced against an employee database, detecting potential spoofing attempts when an employee's title is not found or there's no match for the sender's display name.
  • CC Email Analysis: AI-powered email security solutions use natural language processing techniques and machine learning models to identify unusual behaviors in cc’d emails, such as unknown email addresses and lookalike domains. In this case, the attacker cc’s two addresses with the same look-alike domain to stay connected to the thread.

By sensing established normal behavior and detecting these abnormal indicators, a modern email security solution has the ability to prevent this attack from reaching inboxes.

Please note the exact detection mechanism from Abnormal Security's system might include proprietary techniques and methodologies not disclosed here.

Analysis Overview




Payment Fraud


Look-alike Domain
Compromised Sending Domain


Overdue Payment

Impersonated Party

External Party - Vendor/Supplier

See How Abnormal Stops Emerging Attacks

See a Demo