In this attack, the threat actor impersonates a vendor with whom the recipient has an existing relationship and inquires about updating their banking information for future payments. Attached to the email are more than two dozen real invoices from the actual vendor totaling nearly $360,000.

Status Bar Dots
UA Attempted Invoice Fraud Targeting Manufacturer Email Edited

The attacker uses a nearly identical email address to that of the individual being impersonated; the only difference is the domain ends in .org instead of .com. The sender even cc’s another spoofed email address using the .org extension to help disguise the domain extension swap.

How Does This Attack Bypass Email Defenses?

The attackers have made sure that the email stays within all email defense protocols, allowing the email to penetrate various security systems without being detected. The changes made to the domain are subtle enough for the email to pass verification checks like SPF, DKIM, and DMARC. The email was sent from outside the organization, increasing the chances of the message passing through email defenses.

How Can This Attack Be Detected?

Content analysis can detect the presence of suspicious payment-related requests, indicating when an email should undergo additional scrutiny. Understanding legitimate vendor domains would allow a cloud email security solution to flag a lookalike domain as fraudulent and block the attack before it reaches users. The domain used by the attacker to send the email was registered shortly before the email was sent, indicating its potential use for malicious purposes.

What are the Risks of This Attack?

If the attackers succeed, they can fraudulently modify the vendor’s banking details in the company’s system leading to the company transferring funds into the attacker’s account. As a result, the attackers can obtain a significant amount of funds, leading to possible financial losses.

Analysis Overview




Malware Delivery
Credential Theft


Personalized Email Subject
Free Webmail Account
Spoofed Email Address
Legitimate Hosting Infrastructure


Account Update

See How Abnormal Stops Emerging Attacks

See a Demo