This attack features an attempt to have a $240,000 invoice paid early. The attacker first gains access to a vendor’s account and sees information about the large, upcoming invoice. They then create a look-alike domain, switching one letter (from ‘werks’ to ‘wenks’), and pose as the vendor in an email that references the upcoming invoice. The attacker also creates several other addresses using the same look-alike domain so they can cc several ‘coworkers’ in an attempt to appear legitimate. 

Because the content of the email is conversational and does not have any obvious spelling or grammatical errors, legacy email security tools have difficulty immediately spotting it as an attack. Additionally, since the names used by the attacker are accurate to real employees, it bypasses basic spam/phishing filters. Advanced, AI-powered email security solutions analyze the sender’s unknown domain, the subtle sense of urgency in the email content, and the fact that the attack utilized real employee names, which raised alarm.

Status Bar Dots
240k invoice

How Does This Attack Bypass Email Defenses?

This email attack bypasses traditional security solutions for multiple reasons, including the following:

  • Legitimate subject line and content: The subject line and email content appear to be relevant and legitimate as they discuss a specific invoice and request for early payment.
  • Safe attachments: The email contains a PDF attachment, which is not an unusual or inherently suspicious attachment type. It does not contain phishing links or malicious code, making it less likely to be flagged by older email security systems.
  • Accurate sender name: The sender's email and display name match an employee title and name, making it difficult for legacy tools to identify the email as potentially being spoofed.

How Does Abnormal Detect This Attack?

This attack was detected using AI and ML by analyzing various factors, including the following:

  • Unknown domain: The email was sent from an unknown domain and email address that the recipient had never interacted with previously. AI detection algorithms consider this factor to flag the email as suspicious.
  • Sense of urgency in email content: The email contains a sense of urgency, requesting early payment for the invoice, which is outside of normal operating procedures. Advanced security solutions can identify unusual behavioral patterns, which can be indicative of a phishing or scam attempt.
  • Sender name analysis: Modern detection mechanisms also consider the fact that the sender's display name and title match a plausible employee position. This could be an attempt to spoof an employee or a partner, increasing the suspicion level for the email.

By recognizing established normal behavior and detecting these abnormal indicators, Abnormal Security has the ability to prevent this attack from reaching inboxes.

Please note the exact detection mechanism from Abnormal Security's system might include proprietary techniques and methodologies not disclosed here.

Analysis Overview




Payment Fraud


Hijacked Email Thread
Look-alike Domain


Payment Inquiry

Impersonated Party

External Party - Vendor/Supplier

See How Abnormal Stops Emerging Attacks

See a Demo