In this vendor email compromise attack, the threat actor poses as the accounts receivable coordinator at a vendor of the target’s company and sends the target a message regarding bank account updates. The email states that due to “bogus checks” from other vendors, all future payments must be made via ACH or wire transfer to the account referenced in the attached document. Since the attacker gained control of a legitimate domain to launch these attacks, there is no immediate way for the target to recognize that this email is an attack. Additionally, since the content of the email likely matches the tone and style of previous legitimate communications, the target might be tricked into rerouting payments and ultimately having money or other sensitive information stolen. 

Older, legacy email security tools struggle to flag this email as an attack because it comes from a compromised email address, lacks malicious links, and uses social engineering techniques. Modern, AI-powered email security solutions analyze the attachments, detect social engineering, and flag the blank “to” field to correctly identify this email as an attack.

Status Bar Dots
Jan29 Screenshot

How Does This Attack Bypass Email Defenses?

This email attack bypasses traditional security solutions for multiple reasons, including the following:

  • Compromised Email Address: The email appears to come from a legitimate source, which could bypass security checks that only look at the sender's email address.
  • Lack of Malicious Links: The email contains a link to a legitimate website. Legacy security tools often rely on detecting malicious links, but in this case, there's nothing obviously harmful to flag.
  • Social Engineering: The email uses social engineering techniques to persuade the recipient to take action. It creates a sense of urgency by mentioning a change in payment policy and a recent issue with a bogus check. Legacy tools often struggle to detect this kind of human-focused manipulation.

How Did Abnormal Detect This Attack?

This attack was detected using AI and ML by analyzing various factors, including the following:

  • Attachment Analysis: Abnormal analyzes the content of email attachments for signs of malicious intent. Even if the attachment doesn't contain known malware, it could still be flagged if it contains suspicious content.
  • Social Engineering Detection: Abnormal detects social engineering techniques, such as the sense of urgency created in this email. 
  • Blank 'To' Field: The 'To' field of the email is blank. This is unusual as emails typically have at least one recipient. Abnormal recognizes that this might indicate that the email is a mass-sent phishing attempt, where the sender doesn't want to reveal all the recipients.

By recognizing established normal behavior and detecting these abnormal indicators, a modern email security solution has the ability to prevent this attack from reaching inboxes.

Please note the exact detection mechanism from Abnormal Security's system might include proprietary techniques and methodologies not disclosed here.

Analysis Overview




Payment Fraud


Fake Attachment
External Compromised Account


Account Update
Fake Invoice

Impersonated Party

External Party - Vendor/Supplier

See How Abnormal Stops Emerging Attacks

See a Demo