Blind Third Party Attack Impersonates Eurocontrol to Solicit Fraudulent Payment

In this attack, the attacker posed as an accounts receivable specialist at Eurocontrol, a European air traffic management organization. The email included a reminder that the targeted organization had multiple outstanding unpaid invoices that were from the previous few months. The message also indicated that, due to an update in Eurocontrol’s payment account details,  the recipient organization should confirm when the payment is going to be made, so the correct account information could be shared. To hide all of the targets of the attack, the attacker BCC’d all of the recipients instead of including them in a normal To field.

The email was sent from a likely spoofed email address that had no relationship to the targeted organization and the reply-to address was set to an account hosted on a domain created to look like an official Eurocontrol domain. The sender display name was set to look like a generic financial department and also included a legitimate Eurocontrol email address. Contact information included in the email signature accurately reflected information associated with Eurocontrol’s billing center.

Because the attack is text-based, without any other indicators of compromise, there is little for a secure email gateway to use to determine malicious intent. The spoofed domain did not have an effective DMARC policy in place to reject any unauthorized senders that attempt to send emails from an address on the domain. The domain hosting the attacker’s reply-to email address was valid and had not been previously flagged as being used for malicious purposes. Because the lookalike domain was registered by the attacker and didn’t spoof a legitimate domain, countermeasures like DMARC would not have been effective.

Content analysis can detect the presence of suspicious payment-related requests, indicating when an email should undergo additional scrutiny. Understanding legitimate vendor domains allows a cloud email security solution to flag a lookalike domain as fraudulent and block the attack before it reaches users. All of the recipients receiving the email were BCC’d, a common pattern when attackers send similar attacks to many recipients. The domain used by the attacker to host the reply-to address was registered shortly before the email was sent, indicating its potential use for malicious purposes.

The inclusion of a valid email address in the display name field may cause inattentive recipients to mistakenly believe the message came from Eurocontrol. Because the reply-to email address used by the attacker is hosted on a domain that looks very similar to the Eurocontrol’s actual domain, an employee may easily mistake the email as coming from a legitimate address. The attack email contains multiple instances of “pressure language,” which could be more successful in trying to coerce the recipient into quickly making a payment. Should the targeted employee comply with the attacker’s request, the company would see a direct financial loss of an unknown amount.