This attack uses a compromised vendor account to request an update to banking information for an upcoming invoice. In addition to including legitimate-looking attachments featuring official letterhead and using conversational language that mimics real communications, this attack is almost successful because multiple employees engage with the attacker’s initial message. As the attacker embeds themselves further into conversation threads, it becomes more difficult to detect this as an attack. 

Since legacy email security tools cannot scan the content of the email, an email thread with this level of engagement usually passes undetected. With modern solutions that can analyze email content and attachments, plus continually update security filters, high-engagement threads like this are successfully identified as malicious.

Note: Abnormal detected this attack in passive mode, allowing it to reach end users who were able to engage with the attacker.

Status Bar Dots
8 1

The attacker’s initial message attempts to infiltrate the environment and redirect an invoice payment to a fraudulent account.

Status Bar Dots
8 2

The attacker includes a legitimate-looking attachment that includes detailed wiring and banking details.

Status Bar Dots
8 3

The attacker’s initial message is engaged with by two different employees a week apart, adding legitimacy to the thread and potentially exposing important information.

Following detection, we alerted our customer to the compromised vendor to prevent any financial transactions.

How Does This Attack Bypass Email Defenses?

This email attack bypasses traditional security solutions for multiple reasons, including the following:

  • Legitimate-appearing content: The email discussion appears to be about a bank account update, which is a common topic in a business environment.
  • Lengthy email chain: The email includes a long thread of internal and external communications, increasing the perceived authenticity of the email.
  • Inefficient detection of malicious attachments: The email contains a legitimate-looking attachment, which could make it difficult for traditional antivirus software or other attachment scanners to flag them as malicious. The logo and format in the fake attachment mimics real invoices.

How Can This Attack Be Detected?

This attack was detected using AI and ML by analyzing various factors, including the following:

  • Email content analysis: The system analyzed the email’s content to identify indicators of manipulative language, common social engineering tactics, and inconsistencies in syntax and formatting.
  • Email security filters: Updating and configuring email security filters regularly helps flag malicious patterns by adapting to new and evolving threats. As attackers continuously evolve their tactics, techniques, and procedures, email security filters were updated automatically to identify the latest signatures, patterns, and behaviors related to malicious billing account updates.
  • Attachment analysis: AI-powered attachment analysis evaluated the file type, file size, header information, and embedded objects within the email using OCR to identify this as an attack.

By recognizing established normal behavior and detecting these abnormal indicators, a modern email security solution has the ability to prevent this attack from reaching inboxes.

Please note the exact detection mechanism from Abnormal Security's system might include proprietary techniques and methodologies not disclosed here.

Analysis Overview




Payment Fraud


External Compromised Account


Account Update

Impersonated Party

External Party - Vendor/Supplier

See How Abnormal Stops Emerging Attacks

See a Demo