In this attack, the attacker impersonated an accounts receivable manager at  an external third-party vendor to request an update to their bank account information on file with the recipient’s company, so all future payments would get directed to the new account. The email indicated the account update was needed following an internal audit that had been performed at the end of the previous year. In addition to providing the new account details in the body of the email, the attacker also included a “bank authorization letter” from a bank associate attesting to the change in account information. The email was sent from an address hosted on a domain that was registered by the attacker to mimic the vendor’s legitimate domain. Rather than including the email recipient(s) on the To line of the email, the attacker BCC’d all of the recipients to hide all of the targets of the attack.

Status Bar Dots
Vendor Impersonation BEC Email
Status Bar Dots
Vendor Impersonation BEC Email Attachment

How Does This Attack Bypass Email Defenses?

Because the attack is text-based, without any other indicators of compromise, there is little for a secure email gateway to use to determine malicious intent. The PDF attached to the email was not inherently malicious, so it wouldn’t be flagged by traditional email defenses.  The domain hosting the attacker’s email address was valid and had not been previously flagged as being used for malicious purposes. Because the lookalike domain was registered by the attacker and didn’t spoof a legitimate domain, countermeasures like DMARC would not have been effective.

How Can This Attack Be Detected?

Content analysis can detect the presence of suspicious payment-related requests, including those contained within benign attachments, indicating when an email should undergo additional scrutiny. Understanding legitimate vendor domains would allow a cloud email security solution to flag a lookalike domain as fraudulent and block the attack before it reaches users. The domain used by the attacker to send the email was registered shortly before the email was sent, indicating its potential use for malicious purposes. All of the recipients receiving the email were BCC’d, a common pattern when attackers send similar attacks to many recipients.

What are the Risks of This Attack?

Because the email address used by the attacker is hosted on a domain that looks very similar to the impersonated sender’s actual domain, an employee may easily mistake the email as coming from a legitimate address. Should the targeted employee comply with the attacker’s request, money that was intended to be directed to the external vendor would be diverted to an account controlled by the attacker and could damage the relationship between the companies.

Analysis Overview

Vector

Text-based
Payload-based

Goal

Payment Fraud

Tactic

Look-alike Domain
BCC Recipient List

Theme

Account Update

Impersonated Party

External Party - Vendor/Supplier

See How Abnormal Stops Emerging Attacks

See a Demo