In this attack, the attacker impersonated the company CEO and sent an email to the company's head of human resources, asking for a copy of all employee 2022 W-2s consolidated into a single PDF file. The email included some time sensitivity language, indicating the information was needed “ASAP for a quick review.” The sending address of the email was a Telenet.be account, a freely-available Belgian provider, but the reply-to address was set to a Gmail account. The email closed with a “Sent from my iPhone” signature, which gave the appearance that the CEO was sending the email from their mobile device rather than their computer.

Status Bar Dots
W2 Employee Records BEC Email

How Does This Attack Bypass Email Defenses?

Because the attack is text-based, without any other indicators of compromise, there is little for a secure email gateway to use to determine malicious intent. The sending email address was a Telenet.be account and the reply-to address was a Gmail account, both free webmail services available to anyone. As a result, there is no bad domain reputation for traditional security providers to discover, and the email passed all authentication checks for SPF, DKIM, and DMARC. 

How Can This Attack Be Detected?

Content analysis can detect the presence of suspicious requests for sensitive documents, indicating when an email should undergo additional scrutiny. Integration with the Microsoft API allows an email security solution to use Active Directory to process the organizational chart and understand executive emails to know when an executive is being impersonated via display name deception.

What are the Risks of This Attack?

Because the sender’s display name has been spoofed to impersonate the company’s CEO, an employee receiving the email may instinctively comply with the email since it appears to come from a person of authority. Had the recipient complied with the request and sent the attacker copies of all employee W-2s, not only would that expose those employees to increased risk of having their identities misused for fraudulent purposes in the future, but it would also significantly erode employee trust in the company.

Analysis Overview

Vector

Text-based

Goal

W-2 Theft

Tactic

Free Webmail Account
Spoofed Display Name

Impersonated Party

Employee - Executive

See How Abnormal Stops Emerging Attacks

See a Demo