In this attack, the email impersonated a company executive and asked the recipient, a payments specialist, if they could make a payment to a company located in the United Kingdom. The email was written in Hungarian, and both the impersonated executive and recipient were located in the company's Hungarian offices. The brief email included some time sensitivity, asking if the recipient could make the payment the same day. The email was sent from a Gmail account and the sender’s display name was set to match the impersonated executive’s name.

Status Bar Dots
Hungarian BEC Email

English Translation:

We need to send a payment to a UK company. What kind of details do you need to make the payment? Can you do it today?

How Does This Attack Bypass Email Defenses?

Because the attack is text-based, without any other indicators of compromise, there is little for a secure email gateway to use to determine malicious intent. Some email defenses rely on training their detection models only using common languages, such as English, so attacks that are written in other languages may not be detected. The email was sent from a Gmail account, a free webmail service available to anyone. As a result, there is no bad domain reputation for traditional security providers to discover, and the email passes all authentication checks for SPF, DKIM, and DMARC.

How Can This Attack Be Detected?

Natural language processing with multi-language support enables cloud email security solutions to detect the presence of a payment request, even when the message is written in Hungarian.  Integration with the Microsoft API allows an email security solution to use Active Directory to process the organizational chart and understand VIP emails to know when an executive is being impersonated via display name deception. Content analysis can detect the presence of suspicious payment-related requests, indicating when an email should undergo additional scrutiny.

What are the Risks of This Attack?

Because the sender’s display name has been spoofed to impersonate the company’s CFO, an employee receiving the email may instinctively comply with the email since it appears to come from a person of authority. Should the targeted employee comply with the attacker’s request, the company would see a direct financial loss of an unknown amount.

Analysis Overview

Vector

Text-based

Goal

Payment Fraud

Tactic

Free Webmail Account
Spoofed Display Name

Theme

New Vendor

Impersonated Party

Employee - Executive

Language

Hungarian

See How Abnormal Stops Emerging Attacks

See a Demo