While payroll diversion attacks are somewhat common, they are far more lucrative to attackers when they involve executives, as they are typically some of the most well-paid individuals within the organization. In this attack, threat actors first determine who the most likely candidates are for impersonation, and who should be the target of the attack—focusing on those employees who are most likely to deal with payroll.

Status Bar Dots
62bf4d95a60ddc402874e17f 1838104499

Why It Bypassed Traditional Security

The email itself originates from a valid external email address that has SPF enabled to bypass checks from legacy solutions. And because it is text-based, without any other indicators of compromise, there is little for a secure email gateway to use to determine malicious intent. 

Detecting the Attack

Natural language processing enables cloud email security solutions to detect the presence of a sensitive payroll request, and integration with Active Directory allows the platform to know that the email is not associated with the VIP being spoofed. 

Risk to Organization

Should the target engage with this email, the attacker is likely to send banking information for a new account—enabling him to receive the next direct deposit. Depending on how much the executive makes and how long it takes him to notice the error, the company (and the VIP) could lose tens of thousands of dollars.

Analysis Overview




Payroll Diversion


Matching Free Webmail Username
Spoofed Display Name

Impersonated Party

Employee - Executive

See How Abnormal Stops Emerging Attacks

See a Demo