This business email compromise attack features an impersonation of a CEO at a multinational company. The manufactured circumstances are that the target’s organization is in the process of acquiring a new company to support international expansion and the CEO is reaching out to the recipient to assist with the acquisition. The attacker’s initial goal is simply to establish trust with the target, so they incorporate specific elements into the message content to create a sense of urgency, convey authority, and build rapport. This includes mentioning that tax implications have forced the executive to reach out to the target to find other solutions and that any leaks of information regarding this matter will cause a cancellation of the project. To decrease the chances of the target contacting the actual CEO via phone, the attacker says that in order to maintain privacy, email is the only form of communication that can be used.

Since no specific numbers or action items are addressed in the initial email, the attacker’s objective is to convince the target that this email is legitimate and compel the target to engage. From there, the attacker hopes the target will be amenable to financial transactions and other activities that likely will result in stolen funds, payment fraud, and other financial crimes.

Older, legacy email security tools struggle to accurately identify this email as an attack because it lacks attachments or links, uses urgent language, and has mismatched “From” and “Reply-to” addresses. Modern, AI-powered email security tools analyze the content, check for mismatched “From” and “Reply-to” addresses, and detect unknown senders to correctly flag this email as an attack.

Status Bar Dots
AL Executive Impersonator Establishes Trust Email

How Does This Attack Bypass Email Defenses?

This email attack bypasses traditional security solutions for multiple reasons, including the following:

  • Lack of Malicious Attachments or Links: Traditional security tools often rely on detecting malicious attachments or links. In this case, the email does not contain any obvious malicious attachments or links, making it harder for these tools to detect the threat.
  • Use of Urgent Language: The attacker uses language that creates a sense of urgency to compel the target to act quickly. Legacy security tools may not be equipped to analyze the context and sentiment of an email's content.
  • Mismatched "From" and "Reply-To" Addresses: The "From" email and "Reply-To" email are different, which is a common sign of email spoofing. However, not all legacy systems check for this discrepancy.

How Did Abnormal Detect This Attack?

This attack was detected using AI and ML by analyzing various factors, including the following:

  • Content Analysis: Abnormal uses advanced AI and machine learning models that can analyze the context and sentiment of an email's content. This allows it to detect the urgent language used by the attacker, which is a common sign of a scam.
  • Mismatched "From" and "Reply-To" Addresses: Abnormal checks for discrepancies between the "From" email and "Reply-To" email. This is a common sign of email spoofing that Abnormal is designed to detect.
  • Unknown Sender: Abnormal analyzes the behavior of the sender. In this case, the email address is unknown to the company, which is a strong sign of a potential threat.

By recognizing established normal behavior and detecting these abnormal indicators, a modern email security solution has the ability to prevent this attack from reaching inboxes.

Please note the exact detection mechanism from Abnormal Security's system might include proprietary techniques and methodologies not disclosed here.

Analysis Overview




Payment Fraud


Spoofed Email Address
Spoofed Display Name


Mergers & Acquisitions

Impersonated Party

Employee - Executive

See How Abnormal Stops Emerging Attacks

See a Demo