Third Party Reconnaissance Attack Targets Accounts Payable Team to Redirect Future Vendor Payments

In this attack, an accounts payable team was targeted with an email impersonating an accounting manager at a third-party vendor the target company works with. The email stated they would like to update the vendor’s bank account details, so future payments would get directed to the new account controlled by the attacker. The message included a note indicating the vendor could not receive checks, so payments could only be made using an ACH payment or wire transfer. The attacker also inquired about any open invoices owed to the vendor because they haven’t been able to “get onto the server or into Oracle to review accounts.” Based on the fact that the attacker seemed to have an understanding of the relationship between the target company and the impersonated vendor, but didn’t seem to have direct insight into payments between the two parties, this is a likely third party reconnaissance attack.

The email was sent from an address hosted on a domain registered by the attacker that looks very similar to the impersonated vendor’s actual domain. The attacker also copied a number of other accounts on the email to make it seem that other members of the vendor’s finance team were also included in the conversation. In reality, though, all of these accounts were also hosted on the lookalike domain controlled by the attacker. The email signature contained legitimate contact information associated with the vendor.

Because the attack is text-based, without any other indicators of compromise, there is little for a secure email gateway to use to determine malicious intent. The domain hosting the attacker’s email address was valid and had not been previously flagged as being used for malicious purposes. Because the lookalike domain was registered by the attacker and didn’t spoof a legitimate domain, countermeasures like DMARC would not have been effective.

Understanding legitimate vendor domains allows a cloud email security solution to flag a lookalike domain as fraudulent and block the attack before it reaches users. The domain used by the attacker to send the email was registered shortly before the email was sent, indicating its potential use for malicious purposes. Content analysis is required to detect the presence of invoice-related requests, which can indicate when an email should undergo additional scrutiny.

Because the email address used by the attacker was hosted on a domain that looks very similar to the impersonated sender’s actual domain, an employee could have easily mistaken the email as coming from a legitimate address. Had the targeted employee complied with the attacker’s request, any outstanding or future payments owed to the vendor would have been sent to an account controlled by the attacker.