Business Email Compromise Attack Uses Punycode Domains and Executive Impersonation to Evade Detection
Attack Overview
Step 1: Email
The attacker sends a professional-looking email that impersonates a senior executive (e.g., CEO or President). The message contains a financial request, such as asking for payment status updates or sensitive billing information.
- Spoofs names and titles of high-ranking company officials.
- Requests revolve around payments, audits, or vendor communications.
- Target is encouraged to respond or take action without question.
Step 2: Domain Deception via Punycode
The spoofed sender domain closely resembles a legitimate one but includes subtle Punycode-based alterations, such as accented characters.
- Uses look-alike domains like hìghpressure[.]com and exxonmbíl[.]com.
- Domains pass SPF, DKIM, and DMARC checks.
- The changes are visually minor but technically distinct.
Step 3: Benign but Deceptive Content
There are no links or attachments in the email, which allows the message to evade most traditional security filters while still pressuring the recipient to share sensitive data.
- Email lacks traditional phishing signals like links or files.
- Security tools are less likely to flag or quarantine.
- The content relies on social engineering and perceived authority.
How Does This Attack Bypass Email Defenses?
This email attack bypasses traditional security solutions for several reasons, including:
- It came from a domain that passed all sender authentication checks.
- Punycode domains made the sender appear legitimate while spoofing.
- The email contained no links or attachments, reducing threat scores.
How Did Abnormal Detect This Attack?
This attack was detected using AI and ML by analyzing various factors, including:
- Behavioral anomalies in sender-recipient relationships and message content.
- Unusual AR requests from high-ranking individuals.
- Financial tone and urgency flagged through NLP and content analysis.
By recognizing established normal behavior and detecting these abnormal indicators, a modern email security solution has the ability to prevent this attack from reaching inboxes.
Please note the exact detection mechanism from Abnormal Security's system might include proprietary techniques and methodologies not disclosed here.