Paid Invoice Notification Used for Credential Phishing Attack

Unlike business email compromise attacks that often ask for the recipient to send money for an unpaid invoice, this credential phishing attack takes the opposite approach—using a fake billing notification to encourage clicks. To set up this attack, the threat actors first compromised an external vendor account, potentially through the same or very similar credential phishing attack. Once access to the account was given, the attacker could use that access to see ongoing financial transactions and target existing customers. 

In the attack itself, the email states that payment has been made for an unnamed invoice, with a link to an Excel document that the recipient can click for further details. To add further legitimacy, the text states that it is a system-generated email and asks the recipient not to reply, eliminating the possibility of double-checking the legitimacy of the email with the sender. Upon click, the recipient is directed to a Microsoft 365 page that looks similar to the real one—asking them to enter their password only.

This email comes from a real vendor account that has a relationship with the target organization and as a result, there is nothing unusual to detect in the domain—making it easy to bypass legacy tools that look for those indicators. In addition, the URL within the email is one that has not been seen before, making it difficult for threat intelligence-based tools to detect. 

Natural language processing enables cloud email security solutions to detect the presence of an unusual invoice or payment request, and a federated supply chain database understands when a vendor account may be compromised—across the entire customer ecosystem. Further, a behavioral system can stop attacks that use never-before-seen URLs by understanding the intent of the link. 

This email relies on the known vendor relationship and legitimate email, plus curiosity about the payment, to trick users into clicking the link—even if just to see what the document contains. Once an employee enters their Microsoft credentials, attackers have full access to the email account, which they can then use to look for sensitive information or as a launch point for other attacks on the employee’s coworkers, customers, or vendors.