Attacks related to mergers and acquisitions (M&A) can be some of the most financially damaging, as they typically involve a much higher sum of money than the average invoice fraud or payroll diversion. In this attack, threat actors already know that a merger is occurring (likely due to the compromise of an email from one of the two organizations) and use a spoofed email address to impersonate the CEO of a company. The email asks the recipient if they have been contacted by an attorney who is helping to facilitate the acquisition of a company based in Asia. 

Upon receiving an affirmative response, which lets the attacker know that they have chosen the right attorney in the case, the attacker will send another email to the victim—this time impersonating the attorney himself. As part of that communication, the attacker will ask the employee to make an initial payment to help facilitate the acquisition. 

Status Bar Dots
62a7969f5b93de33771adebe 1310729638

Why It Bypassed Traditional Security

This attack is solely text-based, with no traditional indicators of compromise, and the domain has SPF authentication protocols enabled. Without an understanding of the content and tone of the message, there is no way for an email security solution to understand that this email has malicious intent. 

Detecting the Attack

Natural language processing enables cloud email security solutions to detect the presence of a sensitive request related to mergers or acquisitions, and integration with Active Directory allows the platform to know that the sender email is not associated with the VIP being spoofed. Combined, this provides enough information to block the attack before it reaches the recipient’s inbox. 

Risk to Organization

While this attack itself may not result in direct financial losses, it does allow the recipient to share sensitive information that could help the victim craft a more believable attack in the future. If the recipient were to respond, the attacker would receive pertinent details that could ultimately result in the loss of millions, should the final attack be successful. 

Analysis Overview




Payment Fraud


Extended Spoofed Display Name
Maliciously Registered Domain
Spoofed Email Address


Mergers & Acquisitions

Impersonated Party

Employee - Executive

See How Abnormal Stops Emerging Attacks

See a Demo