In this attack, the attacker impersonated a company executive to request the payment of a supposedly overdue invoice for professional services from PwC. The attacker included a fake email thread from an impersonated PwC financial analyst that indicated that the payment was being requested because their accounting department would be closing early for the holidays. The fake email chain contained a look-alike email address for the impersonated PwC analyst. The email was sent from an address hosted on a domain registered by the attacker and the sender’s display name was set to match the name of the impersonated executive. The email was sent to a central accounts payable email address rather than to individual employees. The subject of the email–“Happy Holidays!”--matches the holiday theme included throughout the message.

Status Bar Dots
Holiday BEC Attack Email

How Does This Attack Bypass Email Defenses?

Because the attack is text-based, without any other indicators of compromise, there is little for a secure email gateway to use to determine malicious intent. The domain hosting the attacker’s email address was valid and had not been previously flagged as being used for malicious purposes.

How Can This Attack Be Detected?

Content analysis can detect the presence of suspicious payment-related requests, indicating when an email should undergo additional scrutiny. The domain used by the attacker to send the email was registered shortly before the email was sent, indicating its potential use for malicious purposes. Integration with the Microsoft API allows an email security solution to use Active Directory to process the organizational chart and understand VIP emails to know when an executive is being impersonated via display name deception.

What are the Risks of This Attack?

The fake email chain included in the attack provides a layer of legitimacy to the message, which may result in a higher success rate. Because the sender’s display name has been spoofed to impersonate a company executive, an employee receiving the email may instinctively comply with the email since it appears to come from a person of authority. Should the targeted employee comply with the attacker’s request, the company would see a direct financial loss of an unknown amount.

Analysis Overview




Payment Fraud


Fake Email Chain
Maliciously Registered Domain
Look-alike Domain
Spoofed Display Name


Overdue Payment

Impersonated Party

Employee - Executive

See How Abnormal Stops Emerging Attacks

See a Demo