To complete this attack, cybercriminals first set up a LinkedIn lookalike domain titled, designed to appear as though it is a legitimate business entity of the LinkedIn website. The attacker also set up an email address of—likely using the term 'exec' to add legitimacy to the username.

Once the infrastructure is complete, the attacker then sends an email with a LinkedIn invoice that asks for an overdue payment. The attacker then appears to forward that email alongside a note from the impersonated executive, requesting that the target pay the LinkedIn invoice today. In this email, the attacker uses display name deception and relies on the urgency induced by an executive message to set up the payment. 

Status Bar Dots
62bf4e7eccf31871c0f16221 1471142944

Why It Bypassed Traditional Security

In this case, both domains are valid emails from valid endpoints. Neither email—either the original LinkedIn impersonation or the executive approval—has a malicious payload in the form of links or attachments, which means that traditional threat intelligence-based tools have no indications of compromise. And because this email is really a two-step attack that relies on both brand name recognition and executive urgency, the target is more likely to fall for it. 

Detecting the Attack

Content analysis is required to detect the presence of invoice-related requests, which can indicate when an email should undergo additional scrutiny. Integration with the Microsoft API allows an email security solution to use ActiveDirectory to process the organizational chart and understand VIP email addresses—both professional and personal—to know when an executive is being impersonated. And additional insight into the domains included, such as age and lookalike analysis, can help detect this attack. 

Risk to Organization

Should this executive impersonation attack succeed, the target would pay the LinkedIn invoice amount to the attacker, costing hundreds or potentially thousands of dollars.

Analysis Overview




Payment Fraud


Fake Email Chain
Maliciously Registered Domain
Spoofed Display Name


Overdue Payment

Impersonated Party

Employee - Executive

See How Abnormal Stops Emerging Attacks

See a Demo