Vendor Accountant Impersonated to Divert Outstanding Payment Due to COVID-19/Monkeypox Outbreak
In this email, the attacker impersonates an accountant at a third-party supplier using an email address hosted on a lookalike domain registered by the attacker. The inclusion of “onmicrosoft.com” at the end of the email address indicates the attacker used Office365 for Business with the domain. The email indicates that, due to a recent contact with COVID-19 and monkeypox at the company, they will no longer be able to accept check payments. Instead, the attacker states that payments can only be received via ACH or wire transfer. The email also inquires about the status of an outstanding payment and there are multiple references to “2ND NOTIFICATION” in the email and subject to create a sense of urgency for the recipient. Based on the content of the email, it’s possible the attacker is aware of the actual payment details due from the targeted customer, potentially due to a compromised vendor email account or aging report theft. The email signature contains the correct contact information for the impersonated vendor company.
Why It Bypassed Traditional Security
Secure email gateways cannot detect malicious intent because the attack is text-based, without any other indicators of compromise. The domain hosting the attacker’s email address is valid and had not been previously flagged as being used for malicious purposes.
Detecting the Attack
The domain used by the attacker to send the email was registered shortly before the email was sent, indicating its potential use for malicious purposes. Cloud email security solutions can detect payment requests using natural language processing. Identifying legitimate vendor domains allows a cloud email security solution to flag lookalike domains as fraudulent and prevent attacks before they reach users. It is necessary to analyze the content of an email in order to detect invoice-related requests, which can indicate a need for further investigation.
Risk to Organization
Because the email address used by the attacker is hosted on a domain that looks very similar to the impersonated sender’s actual domain, an employee may easily mistake the email as coming from a legitimate address. Should the targeted employee comply with the attacker’s request, the company would see a direct financial loss that may have been intended for the legitimate vendor.