BEC Attack Impersonates Distribution Supplier and Offers Discount as an Incentive for Quick Payment

In this attack, the initial email impersonated the head of finance at one of the targeted company’s external distribution partners. The message asked the recipient to provide a list of unpaid invoices owed to the partner and also indicated that the partner’s existing bank information should be disregarded due to a general audit investigation of the account. The email also provided an incentive of a five percent discount if any outstanding invoices were able to be paid to an updated bank account by the end of the day. The email address displayed as the origin of the message appeared to be a compromised external account not affiliated with the impersonated partner; however, the reply-to address was set to an account set up on a provider that provides freely-available encrypted email services. To hide all of the targets of the attack, the attacker BCC’d all of the recipients instead of including them in a normal To field.

Because the attack is text-based, without any other indicators of compromise, there is little for a secure email gateway to use to determine malicious intent. Because this email was sent from a legitimate account that has been compromised without a history of abuse, there are no direct signals indicating the email’s origin is malicious. The reply-to email set to an account hosted on a freely-available encrypted email service and, as a result, there was no bad domain reputation for traditional security providers to discover, and the email passes all authentication checks for SPF, DKIM, and DMARC.

Content analysis can detect the presence of suspicious payment-related requests, indicating when an email should undergo additional scrutiny. Understanding legitimate historical third-party partner communications allows a cloud email security solution to flag suspicious messages impersonating the partner and block the attack before it reaches users. All of the recipients receiving the email were BCC’d, a common pattern when attackers send similar attacks to many recipients.

Should the targeted employee comply with the attacker’s request, money that was intended to be directed to the external vendor would be diverted to an account controlled by the attacker and could damage the relationship between the companies.