In this attack, the attacker impersonated the targeted company’s COO to ask an employee to purchase gift cards as a reward for employees for their performance over the last quarter and to encourage continued hard work. In addition to setting the sender’s display name to spoof the impersonated COO, the email was also sent from a freely-available GMX account that was created with a username that matched the impersonated executive’s name.

Status Bar Dots
Gift Card BEC Email

Why It Bypassed Traditional Security

A secure email gateway can't determine malicious intent because the attack is text-based, without any other indicators of compromise. This email was sent from a GMX account, a free webmail service available to anyone. As a result, there is no bad domain reputation for traditional security providers to discover, and the email passes all authentication checks for SPF, DKIM, and DMARC. 

Detecting the Attack

Natural language processing enables cloud email security solutions to detect the presence of a gift card request. With Active Directory integration, the platform knows that the email is not associated with the spoofed executive. Integration with the Microsoft API allows an email security solution to use Active Directory to process the organizational chart and understand VIP emails to know when an executive is being impersonated via display name deception.

Risk to Organization

Because the username of the sending email address matches the expected username of the impersonated executive’s actual email address, employees may not recognize the difference and trust that the message was sent from an authentic source. Similarly, because the sender’s display name has been spoofed to impersonate the company’s COO, an employee receiving the email may instinctively comply with the email since it appears to come from a person of authority.

Analysis Overview




Gift Card Request


Matching Free Webmail Username
Spoofed Display Name


Employee Incentive

Impersonated Party

Employee - Executive

See How Abnormal Stops Emerging Attacks

See a Demo