German-Language BEC Attack Requests Payment for Invoice via a Fake Email Chain

In this German-language attack, a company CFO was impersonated, asking if the recipient can pay an overdue invoice from a large, global law firm. The email included a supposedly forwarded message from a law firm finance manager inquiring about the payment status. The impersonated executive stated in the fake email thread that a previous email had been sent to the recipient, and this was a second follow-up to ensure prompt payment. The fabricated email chain shows that the original message was written in English and addressed to the CFO, with the company president copied on the message. The contact information in the email signature matched the address of the law firm’s London office. The email was sent from an account hosted on a domain registered by the attacker and the sender’s display name was spoofed to match that of the impersonated CFO. 

English Translation:

Here; Below is an email I received today from Damian Prendergast (Financial Manager at Linklaters LLP).

This concerns an important contract that Linklaters is helping us negotiate and an outstanding unpaid invoice we were issued in September which we have not paid.

He emailed me last week and I asked him to contact you but he says you didn't reply so I asked him to email you again today.

Did you get emails from him?

Regards !!

As a result of the text-based attack, there are no other indicators of compromise that can help a secure email gateway detect malicious intent. Some email defenses rely on training their detection models only using common languages, such as English, so attacks that are written in other languages may not be detected. The domain hosting the attacker’s email address is valid and had not been previously flagged as being used for malicious purposes.

Natural language processing with multi-language support enables cloud email security solutions to detect the presence of a payment request, even when the message is written in German. The presence of invoice-related requests can be detected by content analysis, indicating when an email should be reviewed more closely. Integration with Active Directory allows the platform to know that the email is not associated with the executive being spoofed. The domain used by the attacker to send the email was registered shortly before the email was sent, indicating its potential use for malicious purposes.

The fake email chain included in the attack provides a layer of legitimacy to the message, which may result in a higher success rate. Because the sender’s display name has been spoofed to impersonate the company’s CFO, an employee receiving the email may instinctively comply with the email since it appears to come from a person of authority. Should the targeted employee comply with the attacker’s request, the company would see a direct financial loss of an unknown amount; however, the average payment fraud BEC attack causes tens of thousands of dollars of losses.