Vendor Email Compromise Attack Uses Hijacked Email Thread to Attempt to Redirect Invoice Payments

In this attack, a compromised vendor email account was exploited to attempt to redirect an invoice payment that was in progress. The attacker impersonated an accounting specialist at the third-party supplier to request the payment to a new bank account, the details of which were included in “updated” invoices attached to the email, which had previously been stolen from the compromised vendor account. The attacker included legitimate correspondence that had previously taken place between the vendor employee and employees at the targeted company to make it look like they were simply following up on a previous message. Multiple accounts were also copied on the email resembling other employees at the vendor company that had been included in previous correspondence; however, these accounts were all hosted on the same lookalike domain controlled by the attacker. The email was sent from an account mimicking the vendor’s account specialist, but was hosted on a lookalike domain that transposed two letters in the vendor’s legitimate domain.

Because the attack is text-based, without any other indicators of compromise, there is little for a secure email gateway to use to determine malicious intent. The domain hosting the attacker’s email address was valid and had not been previously flagged as being used for malicious purposes.  Because the lookalike domain was registered by the attacker and didn’t spoof a legitimate domain, countermeasures like DMARC would not have been effective.

Natural language processing enables cloud email security solutions to detect the presence of a payment request. The domain used by the attacker to send the email was registered shortly before the email was sent, indicating its potential use for malicious purposes. Understanding legitimate vendor domains allows a cloud email security solution to flag a lookalike domain as fraudulent and block the attack before it reaches users. Content analysis is required to detect the presence of invoice-related requests, which can indicate when an email should undergo additional scrutiny

The inclusion of legitimate content in the body of the malicious email adds a layer of authenticity to the message, giving it a much higher chance of being successful if it reaches its intended target. Based on the contents of the manipulated invoices provided by the attacker, had the targeted employee complied with the attacker’s request, the company could have seen a direct financial loss of more than $1 million.