This is a multi-pronged attack that requests a  £61,000 payment for an overdue invoice. In order to complete this scam, the attacker has compromised a vendor’s email account and hijacked the thread—attempting to redirect an outstanding invoice that was previously referenced in the email conversation. To add further legitimacy, the attacker cc’s two email addresses with lookalike domains in the hopes of staying connected on the thread, since the attacker has access to the lookalike domains.  The lookalike domain changes one letter in to (from i to l), which is unlikely to be detected by a user since the names on both emails resemble actual employees at the vendor company.

Status Bar Dots
AI 1 1

This legitimate email references an invoice for £61,000.

Status Bar Dots
AI 1 2

This email attack uses the information in the hijacked thread to attempt to redirect the payment.

This email does not contain traditional indicators of compromise and comes from a legitimate domain, making it difficult to detect. Modern email security tools can identify this attack by detecting that the sending domain and IP address linked to the email have appeared infrequently or rarely in previously received messages and by analyzing the contents of the email with AI/ML-powered behavioral profiles. 

Why Does This Attack Bypass Email Defenses?

This email attack bypasses traditional security solutions for multiple reasons, including the following:

  • Legitimate sender domain: The email comes from a legitimate domain (, making it harder to identify as malicious.
  • Social engineering: The email uses social engineering techniques, leveraging urgency and authority to manipulate the recipient into performing a certain action, such as processing a payment to a different account. 
  • SPF and DMARC pass: SPF and  DMARC are widely used email authentication protocols that enable the receiver to determine if the sender was authorized to send emails on the sender domain’s behalf. Because this is a legitimate account, the email passes both the SPF and DMARC checks, further adding to its credibility.

How Can This Attack Be Detected?

This attack was detected using AI and ML by analyzing various factors, including the following:

  • Unexpected bank account: The email informs about an ongoing audit and requests payment to a different credit collector's account. This change in payment details can be an indication of a potential attack.
  • Domain and IP reputation: The system cross-referenced the sender's domain and IP address with known threat databases to identify potential risks.
  • Email content analysis: An analysis of the email's content identified indicators of manipulative language, common social engineering tactics, and the attempt to divert payments, which are commonly associated with business email compromise attacks.

By understanding known normal behavior and detecting these abnormal indicators, a modern email security solution can prevent this attack from reaching inboxes.

Please note the exact detection mechanism from Abnormal Security's system might include proprietary techniques and methodologies not disclosed here.

Analysis Overview




Payment Fraud


Hijacked Email Thread
Look-alike Domain
External Compromised Account


Account Update

Impersonated Party

External Party - Vendor/Supplier

See How Abnormal Stops Emerging Attacks

See a Demo