In this attack, the attacker targeted a human resources manager impersonating a country-level company executive based in Italy. The email, which was written in Italian, asked the targeted employee to update the bank account associated with their payroll direct deposit and inquired about whether the change could be effective before the next pay date. The email was sent from a freely-available Gmail account and the sender’s display name was set to match the name of the impersonated executive.

Status Bar Dots
Italian-language BEC Email

English Translation:

Hi Payroll,

I would like to change the account on my paycheck to a new account and I would like to know if it will be effective for the next payment?

Thank you

How Does This Attack Bypass Email Defenses?

Because the attack is text-based, without any other indicators of compromise, there is little for a secure email gateway to use to determine malicious intent. This email was sent from a Gmail account, a free webmail service available to anyone. As a result, there is no bad domain reputation for traditional security providers to discover, and the email passes all authentication checks for SPF, DKIM, and DMARC. Some email defenses rely on training their detection models only using common languages, such as English, so attacks that are written in other languages may not be detected.

How Can This Attack Be Detected?

Natural language processing with multi-language support enables cloud email security solutions to detect the presence of a suspicious payroll update request, even when the message is written in Italian. Integration with the Microsoft API allows an email security solution to use Active Directory to process the organizational chart and understand VIP emails to know when an executive is being impersonated via display name deception.

What are the Risks of This Attack?

Because the sender’s display name has been spoofed to impersonate the company’s CFO, an employee receiving the email may instinctively comply with the email since it appears to come from a person of authority. Should the target comply with the attacker’s request, the executive’s future paychecks would be diverted to an account controlled by the attacker. Depending on how much the executive makes and how long it takes them to notice the error, the company (and the executive) could lose a significant amount of money.

Analysis Overview

Vector

Text-based

Goal

Payroll Diversion

Tactic

Free Webmail Account
Spoofed Display Name

Impersonated Party

Employee - Executive

Language

Italian

See How Abnormal Stops Emerging Attacks

See a Demo