In this attack, the initial email impersonated the head of finance at one of the targeted company’s external distribution partners. The message asked the recipient to provide a list of unpaid invoices owed to the partner and also indicated that the partner’s existing bank information should be disregarded due to a general audit investigation of the account. The email also provided an incentive of a five percent discount if any outstanding invoices were able to be paid to an updated bank account by the end of the day. The email address displayed as the origin of the message appeared to be a compromised external account not affiliated with the impersonated partner; however, the reply-to address was set to an account set up on a provider that provides freely-available encrypted email services. To hide all of the targets of the attack, the attacker BCC’d all of the recipients instead of including them in a normal To field.

Status Bar Dots
Distribution Partner BEC Email

How Does This Attack Bypass Email Defenses?

Because the attack is text-based, without any other indicators of compromise, there is little for a secure email gateway to use to determine malicious intent. Because this email was sent from a legitimate account that has been compromised without a history of abuse, there are no direct signals indicating the email’s origin is malicious. The reply-to email set to an account hosted on a freely-available encrypted email service and, as a result, there was no bad domain reputation for traditional security providers to discover, and the email passes all authentication checks for SPF, DKIM, and DMARC.

How Can This Attack Be Detected?

Content analysis can detect the presence of suspicious payment-related requests, indicating when an email should undergo additional scrutiny. Understanding legitimate historical third-party partner communications allows a cloud email security solution to flag suspicious messages impersonating the partner and block the attack before it reaches users. All of the recipients receiving the email were BCC’d, a common pattern when attackers send similar attacks to many recipients.

What are the Risks of This Attack?

Should the targeted employee comply with the attacker’s request, money that was intended to be directed to the external vendor would be diverted to an account controlled by the attacker and could damage the relationship between the companies.

Analysis Overview




Payment Fraud


Free Webmail Account
External Compromised Account
BCC Recipient List


Account Update
Payment Inquiry

Impersonated Party

External Party - Vendor/Supplier

See How Abnormal Stops Emerging Attacks

See a Demo