In this payment fraud attack, a threat actor hijacks an ongoing email thread between an insurance brokerage and their vendor, a captive insurance consulting firm, discussing a substantial wire payment of over $17 million. In the initial, legitimate conversation, a member of the accounting department at the insurance brokerage confirmed with an executive underwriter at the vendor company that their bank details had stayed the same. A full year later, the attacker uses a look-alike domain to pose as the executive underwriter and reply to the same thread. The attacker’s message is worded as if the correspondence they are continuing is from the previous week, not the prior year—likely in the hopes the target will not notice and assume the $17 million amount is what’s currently owed.

Another individual on the thread replies, calling out that the requested amount is from the previous year but also requesting clarification on the amount owed for the current year, the payment schedule, and up-to-date bank information. The attacker then replies with fraudulent wiring instructions for an account they control. Thus, while the attacker may not have succeeded in redirecting the $17 million payment, they have put themselves in a position to successfully divert the next fund transfer, presumably for an equally large amount. By leveraging a look-alike domain and mimicking the vendor’s email style, the attacker aims to seamlessly insert themselves into the conversation and deceive the target into transferring funds to their account. 

Older, legacy email security tools struggle to accurately identify this email as an attack because it employs thread hijacking, uses a look-alike domain, and contains no malicious links. Modern, AI-powered email security solutions detect the look-alike domain, understand message context to identify unexpected deviations, and flag high-value transactions to mark this email as an attack correctly.

Status Bar Dots
April 24th Screenshot 1

Email from attacker using look-alike domain saying the payment information has changed.

Status Bar Dots
April 24th Screenshot 2

Email from target asking for clarification and requesting up-to-date banking information.

Status Bar Dots
April 24th Screenshot 3

Email from attacker with false banking information.

How Does This Attack Bypass Email Defenses?

This email attack bypasses traditional security solutions for multiple reasons, including the following:

  • Thread Hijacking: The attack occurs within an existing, legitimate email thread, making it difficult for legacy tools to distinguish between genuine and malicious messages.
  • Look-alike Domain: The attacker uses a domain that closely resembles the legitimate vendor's domain, which can bypass basic domain reputation checks.
  • No Malicious Links: Because the email does not contain obvious malicious links, it might not be flagged by solutions that rely on traditional URL scanning tools.

How Did Abnormal Detect This Attack?

This attack was detected using AI and ML by analyzing various factors, including the following:

  • Domain Similarity Detection: Abnormal detects look-alike domains and flags them as suspicious, even if they closely resemble legitimate domains.
  • Contextual Understanding: Abnormal understands the context of the conversation and can identify when a message deviates from the expected communication flow, such as introducing new bank details unexpectedly.
  • High-Value Transaction Monitoring: Abnormal recognizes that attackers often target high-value transactions and applies additional scrutiny to ensure the legitimacy of the communication, especially when there are sudden changes in payment instructions.

By recognizing established normal behavior and detecting these abnormal indicators, a modern email security solution has the ability to prevent this attack from reaching inboxes.

Please note the exact detection mechanism from Abnormal Security's system might include proprietary techniques and methodologies not disclosed here.

Analysis Overview




Payment Fraud


Hijacked Email Thread
Maliciously Registered Domain
Look-alike Domain


Account Update
Payment Inquiry

Impersonated Party

External Party - Vendor/Supplier

See How Abnormal Stops Emerging Attacks

See a Demo