In this attack, a company executive was impersonated requesting their pay stubs for the previous four months. The email was sent from a Privatemail account, a free webmail service, and the sender’s display name was spoofed to match the executive’s name. 

Status Bar Dots
Pay Stub Payroll Diversion Attack

Had the recipient responded to the initial email, the attacker would have followed up with a request to update the executive’s payroll banking information due to their current account being compromised.

Status Bar Dots
Pay Stub Payroll Diversion Attack

Why It Bypassed Traditional Security

Because the attack is text-based, without any other traditional indicators of compromise, there is little for a secure email gateway to use to determine malicious intent. The email was sent from a PrivateMail account, a free webmail service available to anyone. As a result, there is no bad domain reputation for traditional security providers to discover, and the email passes all authentication checks for SPF, DKIM, and DMARC.

Detecting the Attack

 Natural language processing enables cloud email security solutions to detect the presence of attacks that request changes to payroll accounts. Integration with the Microsoft API allows an email security solution to use Active Directory to process the organizational chart and understand when an executive is being impersonated via display name deception. The email address sending the message has not been previously associated with the impersonated executive.

Risk to Organization

The sender's display name has been spoofed to impersonate an executive, so an employee receiving the email may instinctively comply with it since it appears to come from someone of authority. Should the target comply with the attacker’s request, the executive’s future paychecks would be diverted to an account controlled by the attacker. Depending on how much the executive makes and how long it takes him to notice the error, the company (and the executive) could lose a significant amount of money.

Analysis Overview




Payroll Diversion


Free Webmail Account
Spoofed Display Name

Impersonated Party

Employee - Executive

See How Abnormal Stops Emerging Attacks

See a Demo