In the initial email in this attack, the actor asked the recipient if they shop at Amazon. The email spoofed the impersonated sender’s actual email address, which had likely been compromised by the attacker. The reply-to address was set to a separate Outlook account, which was registered using the same username as the impersonated party’s real address. The subject of the email–”Happy Thanksgiving!”--uses the context of an upcoming holiday to try and connect with the recipient.

Status Bar Dots
Thanksgiving Gift Card BEC Attack

In a subsequent email, the attacker explained that Amazon was having difficulty charging their credit card and asked the recipient if they could purchase a $200 gift card for them. The gift card is supposedly a birthday present for the sender’s niece, who is described as having been diagnosed with stage 4 mesothelioma cancer and has lost both parents to COVID-19. if the recipient can purchase the gift card for them. The attacker promises to pay the recipient back  after their bank issues are sorted out.

Status Bar Dots
Thanksgiving Gift Card BEC Attack 2

Why It Bypassed Traditional Security

In the case of a text-based attack, without any other indicators of compromise, there is little an email gateway can do to determine malicious intent. These emails were sent from an Outlook account, a free webmail service available to anyone. As a result, there are no bad domain reputations for traditional security providers to discover, and the emails pass all authentication checks for SPF, DKIM, and DMARC, even though the sender’s email address had been spoofed 

Detecting the Attack

Natural language processing enables cloud email security solutions to detect the presence of a gift card request. All of the recipients receiving the email were BCC’d, a common pattern when attackers send similar attacks to many recipients. The from address and reply-to address are different and share an identical username, which is indicative of potential malicious activity.

Risk to Organization

Because the sender’s email address has been spoofed to impersonate someone the recipient likely knows, an employee receiving the email may be more likely to comply with the request in the email since it appears to come from someone they’re familiar with. Although the financial impact of a gift card BEC attack may be limited due to the small amount of this gift card request, these campaigns generally target many employees at once, meaning an attacker has more opportunities for success. In many cases, employees that fall victim to these attacks use their own money to purchase the cards, meaning the company would need to have a discussion about whether to reimburse the employee for the fraud.

Analysis Overview




Gift Card Request


Matching Free Webmail Username
External Compromised Account
Spoofed Email Address
BCC Recipient List


Holiday Gift

Impersonated Party

External Party - Other

See How Abnormal Stops Emerging Attacks

See a Demo