In this attack, the attacker impersonated an employee at a third-party manufacturer that had previously done business with the target company to inquire about the status of a supposedly overdue payment. Attached to the email was a PDF replica of an invoice used by the supplier that had been modified by the attacker to contain a different payment bank account. The updated banking information was also highlighted in the body of the email. The name of the attachment was personalized with the name of the target company. The email was sent from an email account hosted on a domain recently registered by the attacker that looked very similar to the vendor’s actual domain.

Status Bar Dots
Modified Invoice BEC Email

How Does This Attack Bypass Email Defenses?

Because the attack is text-based, without any other indicators of compromise, there is little for a secure email gateway to use to determine malicious intent. The domain hosting the attacker’s email address was valid and had not been previously flagged as being used for malicious purposes. The lookalike domain was registered by the attacker and didn’t spoof a legitimate domain, so countermeasures like DMARC would not have been effective.

How Can This Attack Be Detected?

Understanding legitimate vendor domains allows a cloud email security solution to flag a lookalike domain as fraudulent and block the attack before it reaches users. The domain used by the attacker to send the email was registered shortly before the email was sent, indicating its potential use for malicious purposes. Content analysis can detect the presence of suspicious payment-related requests, indicating when an email should undergo additional scrutiny.

What are the Risks of This Attack?

The use of a modified invoice that is normally used by the vendor adds contextual legitimacy to the attack, which may lead an employee to believe the message was sent by the impersonated third party. Because the email address used by the attacker is hosted on a domain that looks very similar to the impersonated sender’s actual domain, an employee may easily mistake the email as coming from a legitimate address. Should the targeted employee comply with the attacker’s request, the company would see a direct financial loss of nearly $40,000 and any outstanding or future payments owed to the vendor would be sent to the fraudulent account controlled by the attacker.

Analysis Overview

Vector

Text-based
Payload-based

Goal

Payment Fraud

Tactic

Look-alike Domain
Modified Document

Theme

Overdue Payment

Impersonated Party

External Party - Vendor/Supplier

See How Abnormal Stops Emerging Attacks

See a Demo