Attacker Uses Compromised Vendor Account to Hijack Conversation and Attempt Payment Fraud
This business email compromise attack features a vendor impersonator utilizing a look-alike domain. To begin, an attacker hijacks an email thread between a vendor and a customer in which invoice payments and banking details are discussed. The attacker then creates a look-alike domain, “plusmy-com-my[.]cc,” which is similar to the vendor’s legitimate domain “plusmy.com[.]my,” copies and pastes the thread from the original hijacking, and attaches a nearly $1,000,000 fraudulent invoice. The threat actor then states that the vendor’s usual bank account cannot currently accept deposits and requests that the target use an alternate bank account, the details of which are included in the attached invoice. If the target redirects any payments based on this email, the funds will be deposited into an account owned by the attacker.
Older, legacy email security tools struggle to accurately identify this email as an attack because it contains multiple attachments, uses social engineering techniques, and comes from an unknown domain. Modern, AI-powered email security solutions detect the unknown domain, analyze the multiple attachments, and flag the social engineering techniques to mark this email as an attack properly.
The attacker copies and pastes a previous thread from the hijacked email account to appear more legitimate.
The attacker includes a PDF invoice using the hijacked vendor’s letterhead.
The attacker also includes a spreadsheet document outlining what information is required for fund transfers.
How Does This Attack Bypass Email Defenses?
This email attack bypasses traditional security solutions for multiple reasons, including the following:
- Multiple Attachments: The email contains multiple attachments of different types. Legacy security tools may be unable to scan these attachments for potential threats effectively.
- Social Engineering Techniques: The email uses social engineering techniques to trick the recipient into taking action. Legacy security tools may not be able to detect these subtle manipulative tactics.
- Unknown Domain: The email comes from an unknown domain to which the target has never sent messages in the past. This could bypass security measures that rely on domain reputation.
How Did Abnormal Detect This Attack?
This attack was detected using AI and ML by analyzing various factors, including the following:
- Unknown Domain: The email comes from an unknown domain to which the company has never sent messages in the past. Abnormal recognizes this as a potential threat.
- Multiple Attachments: The email contains multiple attachments, including a spreadsheet and a PDF. Abnormal analyzes these attachments for potential threats, such as malicious macros or embedded links.
- Social Engineering Techniques: The email uses social engineering techniques like urgency and familiarity to trick the recipient into taking action. Abnormal detects these manipulative tactics as signs of an attack.
By recognizing established normal behavior and detecting these abnormal indicators, a modern email security solution has the ability to prevent this attack from reaching inboxes.
Please note the exact detection mechanism from Abnormal Security's system might include proprietary techniques and methodologies not disclosed here.