This attack features a compromised account used by an attacker who poses as "Jamie" and asks for a stop in further remittance plus a change of banking details after a "bounced check" caused account restrictions. The attacker informs the recipient to use a new offshore bank and asks that the finance department be updated. The attacker shares a list of invoices that total nearly $4,000,000. Since the attacker has access to the compromised account, they CC two look-alike domains, "," to stay connected to the thread should any suspicions arise. 

This attack can bypass older email security tools because the content of the email is conversational, mimicking typical business communications. Additionally, since attackers often attach malicious payloads, the lack of attachments makes it seem more legitimate. Lastly, older security tools likely consider the email safe since the attacker utilizes a known domain. Modern security solutions analyze the contents of the email, the use of CC'd look-alike domains, and thorough behavioral analysis using AI to identify this as an attack.

Status Bar Dots
4m invoice

How Does This Attack Bypass Email Defenses?

This email attack bypasses traditional security solutions for multiple reasons, including the following:

  • Legitimate-looking Email Content: The email content does not contain any obvious malicious elements such as malware or phishing links. It mimics legitimate business communication, which makes it harder for traditional security tools to detect it as a threat.
  • Use of a Known Domain: The email was sent from a known domain ( that the recipient's email system has interacted with in the past. This could make the email seem more trustworthy to traditional security tools.
  • Lack of Attachments: The email does not contain any suspicious attachments that could trigger alerts from traditional security tools.

How Did Abnormal Detect This Attack?

This attack was detected using AI and ML by analyzing various factors, including the following:

  • Use of Look-Alike Domains: Abnormal's AI is trained to detect subtle signs of phishing, such as the use of look-alike domains. In this case, the inclusion of CC'd email addresses with similar domains are flagged as potentially malicious. While these look-alike domains add an element of realism to the attack, they are a common tactic used by attackers to trick recipients into thinking the email is from a trusted source. 
  • Language and Content Analysis: Abnormal can evaluate the language and content of the email. In this case, the request to stop remittance to the primary company account and switch to an offshore account are flagged as suspicious. Additionally, the disclosure of invoice details totaling a significant amount also indicates a likely attack.
  • Behavioral Analysis: Abnormal analyzes the behavior of senders and recipients over time. If the email behavior deviates from the norm, such as an unusual request it can be flagged as suspicious. In this case, changing banking details to an offshore account triggered the detection system.

By recognizing established normal behavior and detecting these abnormal indicators, a modern email security solution has the ability to prevent this attack from reaching inboxes.

Please note the exact detection mechanism from Abnormal Security's system might include proprietary techniques and methodologies not disclosed here.

Analysis Overview




Payment Fraud


Look-alike Domain


Account Update

Impersonated Party

External Party - Vendor/Supplier

See How Abnormal Stops Emerging Attacks

See a Demo