This business email compromise attack features a compromised account requesting payment method updates. The attacker breaks into “” and uses the account to request ACH transfers from the recipient’s company since, due to an audit during COVID, checks are no longer viable for payments. Mimicking company assets, the attacker includes a PDF attachment of the new banking details with the Duffy & Shanley logo to appear legitimate. This attack is sophisticated since the attacker uses a real account to carry out the attempted payment fraud.

Legacy email security tools have trouble detecting this attack because of the legitimate sending domain, the lack of malware attachments, and the lack of urgency in the message. Modern, AI-powered email security solutions analyze the links, language, and historical data to identify this email as an attack accurately.

Status Bar Dots
Aug23 Screenshot
Status Bar Dots
Aug 23 Screenshot 2

The attacker attaches a company-branded PDF with fraudulent ACH details to redirect payments.

How Does This Attack Bypass Email Defenses?

This email attack bypasses traditional security solutions for multiple reasons, including the following:

  • Legitimate Sender: The email appears to be from a legitimate sender,, which could bypass security checks that only flag known malicious senders.
  • No Malware Attachments: The email contains a PDF attachment, less likely to be flagged as potentially harmful than executable files.
  • No Urgency or Fear Tactics: The email does not use urgency or fear tactics, common in phishing emails, to pressure the recipient into taking action. The absence of these tactics could make the email seem less suspicious to legacy security tools.

How Did Abnormal Detect This Attack?

This attack was detected using AI and ML by analyzing various factors, including the following:

  • Attachment Analysis: The email contains a PDF attachment with banking details. Abnormal's AI analyzes attachments for suspicious content, such as requests for payment or personal information.
  • Language Analysis: Abnormal's AI analyzes the language used in the email for signs of a potential attack. In this attack, the email contains a request for payment methods to change, usually a sign of a BEC attack.
  • Historical Data Analysis: Abnormal's AI analyzes historical data to detect anomalies and potential attacks. For example, this email is the first time the sender has requested payment via ACH, which raises suspicion.

By recognizing established normal behavior and detecting these abnormal indicators, a modern email security solution has the ability to prevent this attack from reaching inboxes.

Please note the exact detection mechanism from Abnormal Security's system might include proprietary techniques and methodologies not disclosed here.

Analysis Overview




Payment Fraud


Compromised Sending Domain


Account Update

Impersonated Party

Employee - Executive

See How Abnormal Stops Emerging Attacks

See a Demo