This multi-layered fake billing scam attack begins with a compromised email account of Triumph Construction NY, a construction company involved with large infrastructure projects in New York City. After the attacker gains context from Sherif's prior communications regarding a large project and invoice, the attacker creates the look-alike domain, "," and asks for payment updates on a massive $13.5 million invoice, CCing several different recipients to stay connected to the thread. 

In addition to the invoice, the attacker also attaches prior legitimate conversations as an EML file and copies and pastes Sherif's prior communications to make it appear that Sherif is following up on an existing thread. To further camouflage their malicious activity, the attacker strategically removes the email address from the "From: Sherif Salem" field in the header of the email. Doing so allows the attacker to circumvent the authentic domain altogether, thereby thwarting any attempts by legacy security systems to flag the similarity between the legitimate and look-alike domains. When one of the recipients replies to the thread, the attacker responds to continue building credibility, referencing prior communications and the hefty invoice in further replies. 

Legacy email security tools have difficulty flagging this email as an attack because of the lack of malicious links, the seemingly ordinary PDF and EML attachments, and the lack of direct requests for sensitive information. Modern, AI-powered email security solutions analyze the domain age, attachments, and content to identify this attack accurately. 

Status Bar Dots
Sep5 Screenshot 1

After compromising Sherif's account, the attacker copies and pastes prior communications to make it appear like they're following up on a prior thread when sending the first attack with the look-alike domain. The attacker also strategically removes the email address from the "From: Sherif Salem" field in the header of the email.

Status Bar Dots
Sep5 Screenshot 3

One of the CC'd recipients replies to the attacker and requests changes to the invoice.

Status Bar Dots
Sep5 Screenshot 4

The attacker engages with the recipient, referencing the changes to the invoice and further embedding themselves.

How Does This Attack Bypass Email Defenses?

This email attack bypasses traditional security solutions for multiple reasons, including the following:

  • Lack of Malicious Links: The email contains no links in the body text. Legacy security tools often rely on detecting malicious links to flag phishing emails. In this case, there are no links to analyze, which could allow the email to bypass these security measures.
  • Attachments: The email contains a PDF and an EML file. Legacy security tools may be unable to analyze the content of these types of files for malicious content.
  • No Direct Request for Sensitive Information: The email does not directly ask for sensitive information like passwords or financial details, a typical red flag legacy systems use to determine if an email looks suspicious.

How Did Abnormal Detect This Attack?

This attack was detected using AI and ML by analyzing various factors, including the following:

  • Domain Age: The domain age of the sender's email is two months, which means it's a newly registered domain. Abnormal's AI flags this as a potential risk, as cybercriminals often use new domains for launching attacks.
  • Attachment Analysis: The email contains a PDF and an EML file. Abnormal's AI analyzes the content of these types of files for malicious content, which legacy systems may be unable to do.
  • Content Analysis: Abnormal's AI analyzes the content of the email for subtle signs of a phishing attempt, including the language, tone, and context, which helps detect sophisticated attacks that may not contain obvious red flags.

By recognizing established normal behavior and detecting these abnormal indicators, a modern email security solution has the ability to prevent this attack from reaching inboxes.

Please note the exact detection mechanism from Abnormal Security's system might include proprietary techniques and methodologies not disclosed here.

Analysis Overview




Payment Fraud


Look-alike Domain


Account Update

Impersonated Party

External Party - Vendor/Supplier

See How Abnormal Stops Emerging Attacks

See a Demo