BEC Attack Impersonates a CEO Using a Combination of a Spoofed Email Address and Reply-to Address with a Mirrored Username

In this attack, a company CEO was impersonated in an email sent to the company’s CFO requesting that the CFO send a payment to an external party. The initial email was very brief, contained a blank subject, and included a “Sent from my iPhone” signature to make it look like the CEO was writing from his mobile device. The CEO’s email address was spoofed to make it look like the message originated from the CEO’s real email account. The reply-to address, however, was set to a separate address that was hosted on a domain registered by the attacker. The username of the reply-to address matched the CEO’s username in their actual email address.

Had the recipient responded to this initial message, the attacker would have followed with a message that included the details of the payment request. In this case, the attacker would have asked for a wire transfer of more than $34,000 to be made to a bank account with a beneficiary listed that appeared to be a business.

Because the attack is text-based, without any other indicators of compromise, there is little for a secure email gateway to use to determine malicious intent. The domain hosting the attacker’s reply-to email address was valid and had not been previously flagged as being used for malicious purposes. The spoofed domain did not have an effective DMARC policy in place to reject any unauthorized senders that attempt to send emails from an address on the domain.

Content analysis can detect the presence of suspicious payment-related requests, indicating when an email should undergo additional scrutiny. The domain used by the attacker to send the email was registered shortly before the email was sent, indicating its potential use for malicious purposes. Integration with the Microsoft API allows an email security solution to use Active Directory to process the organizational chart and understand VIP emails to know when an executive is being impersonated via display name deception.

Because the sender’s email address had been spoofed to impersonate the company’s CEO, an employee receiving the email may instinctively comply with the email since it appears to come from a person of authority. In addition, because the username of the reply-to email address matches the expected username of the impersonated CEO’s actual email address, an employee may not recognize the difference and trust that the message was sent from an authentic source. Had the targeted employee complied with the attacker’s request, the company would have seen a direct financial loss of more than $34,000.