This attack targeted a senior member of a company’s finance team, impersonating a company executive to request assistance in a confidential acquisition of a European company. The contents of the email was written in French, which matches the location of the recipient of the message, who was located in France. The email indicated that while a public announcement of the acquisition would take place later, the recipient was chosen to assist with a financial transaction associated with the merger due to their “discretion” and “impeccable work.” The message asked the recipient to reach out to an attorney at Mazars, a global law firm, to receive the bank details needed to complete the transaction. The email address provided for the attorney was created using a freely-available Mail.com account with a username that mimicked the attorney’s name. For “security reasons,” the email ends with a request to only communicate with the impersonated executive using their “personal email account,” which was also created using a different Mail.com domain. The email was sent from this same Mail.com address, but the display name was set to include both the impersonated executive’s name and their official business email address.

Status Bar Dots
French BEC Email

English Translation:

We are currently carrying out a financial transaction concerning a merger/acquisition of a company based in Europe.

This takeover must remain strictly confidential, no one else must know about it at this time.

The public announcement of this takeover bid will take place on Thursday January 19, 2023 at our premises with the presence of the entire administration.

I therefore chose you for your discretion and your impeccable work in handling this takeover bid.

Please contact our law firm Mazars immediately for the attention of Maître Garnier for the delivery of bank details in order to make the transfer immediately.

Contact: n.garnier-mazars[at]consultant.com

Ps: for security reasons, please communicate only on my personal email ([CEO name username]@dr.com) for this type of confidential operation where we can discuss without risk of disclosure in order to respect the standard of this takeover bid.

Please do not make any allusion to this case in person, or even by telephone only on my personal email according to the procedure imposed by the AMF (Autorité des Marchés Financiers).

Cordially,

[CEO Name]

How Does This Attack Bypass Email Defenses?

Because the attack is text-based, without any other indicators of compromise, there is little for a secure email gateway to use to determine malicious intent. The email was sent from a Mail.com account, a free webmail service available to anyone. As a result, there is no bad domain reputation for traditional security providers to discover, and the email passes all authentication checks for SPF, DKIM, and DMARC. Some email defenses rely on training their detection models only using common languages, such as English, so attacks that are written in other languages may not be detected.

How Can This Attack Be Detected?

Content analysis can detect the presence of suspicious payment-related requests, indicating when an email should undergo additional scrutiny. Natural language processing with multi-language support enables cloud email security solutions to detect the presence of a payment request, even when the message is written in French. Integration with the Microsoft API allows an email security solution to use Active Directory to process the organizational chart and understand VIP emails to know when an executive is being impersonated via display name deception.

What are the Risks of This Attack?

Even though the email was sent from an unofficial Mail.com account, the use of the impersonated executive’s name and email address in the display name field may cause inattentive recipients to mistakenly believe the message came from the executive. Additionally, because the username of the sending email address matches the expected username of the impersonated executive's actual email address, an employee may not recognize the difference and trust that the message was sent from an authentic source. Should the targeted employee comply with the attacker’s request, the company would see a direct financial loss of an unknown amount.

Analysis Overview

Vector

Text-based

Goal

Payment Fraud

Tactic

Matching Free Webmail Username
Extended Spoofed Display Name

Theme

Mergers & Acquisitions

Impersonated Party

External Party - Other
Employee - Executive

Language

French

See How Abnormal Stops Emerging Attacks

See a Demo