Attacker Follows Up On Unpaid $132,000 Invoice Using Compromised Vendor Account
Using a compromised vendor account, an attacker hijacks an existing email thread and attempts to reroute a large invoice payment of $132,000. To appear credible, the attacker cc’s two email addresses with lookalike domains in the hopes of staying connected on the thread, since the attacker also has access to the lookalike domains. The lookalike domain adds an l to pkoh-ac.com, making it plkoh-ac.com, which is unlikely to be detected by a user quickly scanning the email thread.
Legacy email tools have trouble identifying this as an attack because the email’s domain age is nearly nine years old and there is a lack of identifying employee information in the email header. Advanced, AI-powered security tools evaluate domain reputation, cross-reference employee names with existing databases, and analyze links to successfully flag this as an attack.
This legitimate email from an accounting department outlines the line items for a $132,000 invoice.
A week later, the attacker, posing as an employee from pkoh-ac.com, cc’s two lookalike domains (plkoh-ach.com) in an attempt to embed themselves and redirect the invoice.
How Does This Attack Bypass Email Defenses?
This email attack bypasses traditional security solutions for multiple reasons, including the following:
- Domain Age: The sender's domain age is nearly 10 years old, which can make the domain seem more reliable and harder for legacy systems to flag as suspicious.
- FQDN Rarity: The fully qualified domain name (FQDN) used to send this email is a known domain, making it challenging for traditional email security systems to flag such messages as suspicious.
- Unknown Employee Titles: The title of the employee who appears to have sent this message is empty, indicating no match from the employee database. This lack of information could potentially bypass the scrutiny of conventional security solutions.
How Does Abnormal Detect This Attack?
This attack was detected using AI and ML by analyzing various factors, including the following:
- Domain Reputation: By evaluating the domain age and the known communication history with the sender's domain, potential risks can be identified, which in this case include rerouting a large invoice.
- Employee Database Matching: The sender's display name can be cross-referenced against an employee database, detecting potential spoofing attempts when an employee's title is not found or there's no match for the sender's display name.
- CC Email Analysis: AI-powered email security solutions use natural language processing techniques and machine learning models to identify unusual behaviors in cc’d emails, such as unknown email addresses and lookalike domains. In this case, the attacker cc’s two addresses with the same look-alike domain to stay connected to the thread.
By sensing established normal behavior and detecting these abnormal indicators, a modern email security solution has the ability to prevent this attack from reaching inboxes.
Please note the exact detection mechanism from Abnormal Security's system might include proprietary techniques and methodologies not disclosed here.