In this attack email, the attacker impersonated a company CEO and asked for a list of all recent settlements that have not yet been paid out. The email specified the information needed in the spreadsheet, including settlement date, case title, plaintiff name, plaintiff attorney name, defendant name, defendant attorney name, and settlement amount. The email was sent using the spoofed display name of the CEO, while the actual email address used was a free webmail service from Poland. The tactics in this attack are very similar in principle to an aging report theft attack, in which an attacker requests a copy of a spreadsheet containing outstanding payment details and customer contact information. 

Status Bar Dots
Pending Settlement Request BEC Attack

Why It Bypassed Traditional Security

Because the attack is text-based, without any other indicators of compromise, there is little for a secure email gateway to use to determine malicious intent. This email is sent from an account, a free webmail service available to anyone. As a result, there is no bad domain reputation for traditional security providers to discover, and the email passes all authentication checks for SPF and DMARC.

Detecting the Attack

Natural language processing enables cloud email security solutions to detect the presence of an aging report request or similar types of requests, like this one. Integration with Active Directory allows the platform to know that the email is not associated with the executive being spoofed. Content analysis is required to detect the presence of suspicious requests, which can indicate when an email should undergo additional scrutiny. Additionally through Microsoft API integration, email security solutions can use ActiveDirectory to process the organizational chart and understand VIP emails in order to identify when executives are being impersonated.

Risk to Organization

Similar to an aging report theft attack, the information gathered in this attack will likely be used for future exploitation and payment fraud. While this attack is not likely to have a direct impact on the organization receiving it in terms of financial loss, it could have dire implications on customer trust and brand perception. Once the attacker has access to outstanding settlements, he can use that (accurate) information to email customers and request that payment be made immediately. And once those customers make the settlement payment, their money is gone—not to the vendor they thought they were paying but to a bank account owned by the attacker.

Analysis Overview




Payment Fraud


Free Webmail Account
Spoofed Display Name


Legal Matter

Impersonated Party

Employee - Executive

See How Abnormal Stops Emerging Attacks

See a Demo