In this attack, a company executive was impersonated to request the recipient change the bank account associated with their payroll direct deposit. The email was written in two languages. The email subject was written in Lithuanian and the main content in the email’s body was written in Dutch. The email was sent from a freely-available Gmail account and the sender’s display name was spoofed to match the name of the impersonated executive.

Status Bar Dots
Lithuanian/Dutch Payroll Diversion

English Translation:

Hello,

I want to change the account on my payroll to a new account and

I would like to know if it will be effective for the next payment?

Thank you

How Does This Attack Bypass Email Defenses?

Because the attack is text-based, without any other indicators of compromise, there is little for a secure email gateway to use to determine malicious intent. The email was sent from a Gmail account, a free webmail service available to anyone. As a result, there is no bad domain reputation for traditional security providers to discover, and the email passes all authentication checks for SPF, DKIM, and DMARC. 

How Can This Attack Be Detected?

Natural language processing enables cloud email security solutions to detect the presence of attacks that request changes to payroll accounts. Integration with the Microsoft API allows an email security solution to use Active Directory to process the organizational chart and understand VIP emails to know when an executive is being impersonated via display name deception and email is not associated with the executive being spoofed.

What are the Risks of This Attack?

Because the sender’s display name has been spoofed to impersonate the company’s CFO, an employee receiving the email may instinctively comply with the email since it appears to come from a person of authority. Should the target engage with this email, the attacker is likely to send banking information for a new account—enabling him to receive the next direct deposit. Depending on how much the executive makes and how long it takes him to notice the error, the company (and the VIP) could lose tens of thousands of dollars.

Analysis Overview

Vector

Text-based

Goal

Payroll Diversion

Tactic

Free Webmail Account
Spoofed Display Name

Impersonated Party

Employee - Executive

Language

Dutch
Lithuanian

See How Abnormal Stops Emerging Attacks

See a Demo