In this attack, the actor impersonated a company COO inquiring about bank fees for outgoing wire transactions. The subject line of the email was “legal fees,” implying that they were asking in order to pay an outstanding legal bill. The email was sent from an account hosted on a malicious domain registered by the attacker and the sender’s display name was spoofed to match the COO’s name.

Status Bar Dots
Legal Fees BEC Email

Had the recipient responded to the initial email, the attacker would have sent a follow-up message with bank account information where they wanted the payment to be sent. The payment instructions would have been included in an attached PDF document, showing a requested payment amount of more than $32,000.

Status Bar Dots
Legal Fees BEC Email 2
Status Bar Dots
Legal Fees BEC Payment Instructions

Why It Bypassed Traditional Security

Because the attack is text-based, without any other indicators of compromise, there is little for a secure email gateway to use to determine malicious intent. The domain hosting the attacker’s email address was valid and had not been previously flagged as being used for malicious purposes.

Detecting the Attack

The domain used by the attacker to send the email was registered shortly before the email was sent, indicating its potential use for malicious purposes. Natural language processing enables cloud email security solutions to detect the presence of a payment request. Integration with the Microsoft API allows an email security solution to use Active Directory to process the organizational chart and understand VIP emails to know when an executive is being impersonated via display name deception.

Risk to Organization

Because the sender’s display name has been spoofed to impersonate the company’s COO, an employee receiving the email may instinctively comply with the email since it appears to come from a person of authority. Had a targeted employee complied with the attacker’s request, the company would have seen a direct financial loss of more than $32,000.

Analysis Overview




Payment Fraud


Maliciously Registered Domain
Spoofed Display Name

Impersonated Party

Employee - Executive

See How Abnormal Stops Emerging Attacks

See a Demo