BEC Group Uses Manufactured Email Threads and Brand Impersonation to Facilitate Invoice Fraud
A Background on Invoice Fraud
The Double-Pronged Approach: Examining Cobalt Terrapin’s Strategy
While many BEC attacks appear to originate from a high-ranking individual at an organization or from a well-known vendor, Cobalt Terrapin uses a new hybrid strategy that combines both tactics. This makes communications look and feel even more legitimate.
In this case, the attacker sends an email impersonating a company executive—usually the company’s CEO or CFO—using display name spoofing. They also set up a manufactured message from a vendor in the body of the email below the message from the executive making it appear like the sender is forwarding an existing thread.
The email instructs the recipient, typically a generic email address like ap[@]company.com or accounting[@]company.com to pay the outstanding invoice referenced in the manufactured email chain below. It is notable that, rather than identifying specific individuals to target, Cobalt Terrapin identifies the central accounts payable email list they can use to reach all of the employees on that list at once. In many ways, this is likely to make them more successful as they can reach multiple people at once, and it only causes one hurried or distracted employee to make the mistake.
Example of an Initial Cobalt Terrapin Email
Attackers also recognize that if an invoice looks different from usual, it might set off alarm bells to the accounting team. To address this, Cobalt Terrapin emails include a note explaining that the company has made “improvements” to its invoices as part of an “ongoing commitment to deliver a better billing experience” and recommends the recipient check out the vendor’s website to “learn more about your new invoice.”
Although these emails typically reference an attached email, attackers wait until the targeted employee responds before sending a fake invoice or W-9. This helps them bypass security tools that flag attachments as a sign of potential attacks. And given the frequency with which people forget to attach files to emails, most email users wouldn’t consider this unusual or suspicious behavior.
Example of a Cobalt Terrapin Email Response Containing Fake Invoice and W-9 Attachments
Using Well-Known Brand Names to Earn Trust
Sample Fake Invoice and W-9 Used by Cobalt Terrapin
Cobalt Terrapin uses highly convincing invoices and W-9s, which include corporate logos and legitimate corporate details, such as the organization’s real address and employee identification number (EIN). While it may seem like a lot of trouble, including these small details in spoofed documents help threat actors bypass accounting professionals’ scrutiny and allow for faster time to payment.
Protecting Your Organization from Cobalt Terrapin and Other BEC Groups
Appendix: List of Domains Linked to Cobalt Terrapin BEC Campaigns
44g8y5go3k7b18uyxc2qxeybz-uk0l-send-via-net-suite[.]com |
admin-mail-settin99s[.]com |
admin-omincrosft-us10-miosft-office[.]com |
admin-omincrosft-us17-miosft-exch[.]com |
admin-rsm-rply-managements[.]xyz |
alldomainsserver-onmicrosoft-ssl-365-oserver[.]management |
alldomainsserver-onmicrosoft-sssl-365-oserver[.]management |
app02-us-mail-xchnge-365-mcrsft[.]com |
applx-xli-slxi-admins-management[.]com |
applx-xlx-phlx-management-mails[.]me |
applx-xlxi-admin-management-xls-mails[.]me |
billing-linkedln[.]com |
corps-us10-blv1-miosoft-suite[.]xyz |
cpoft[.]com |
em-rply[.]me |
email-onmicrosoft365-onmicrosoft[.]com |
emssn[.]one |
en-rply[.]me |
exch-mail-offd365-us63-mrosfs1t[.]com |
exch-office-us01-miosft1[.]com |
exch-office-us10-miosft[.]com |
exch-office-us10-miosftx1[.]com |
exech-microfts-net-suites[.]com |
executive-us10-blv1-msoft-exch[.]com |
executive-us10-webcorp-us-onmicrosoft[.]com |
leaderd1ship-us17-miosft[.]com |
leaderd1ship-us18-miosft[.]com |
leadership-sent-onmicrosoft[.]com |
leadershippostmicrosoft[.]com |
mail-ex-onmicrosoft[.]com |
mail-exch-offd365-us21-mrosfst[.]com |
mail-exch-us21-app02-omn0sft365-off-svr[.]com |
mail-mx-onmicrosoft[.]com |
mail-ominicrosft-leadership[.]com |
mail-omnicrosroft-exch[.]com |
mail-reply-a-onmicrosoft[.]com |
mail-reply-c-onmicrosoft[.]com |
mail-reply-e-onmicrosoft[.]com |
mail-reply-im-onmicrosoft[.]com |
mail-reply-n-onmicrosoft[.]com |
mail-work2apps-xllz2mall-manaqement[.]com |
mailing-officemangemnt-mail[.]me |
mails-1102-omnisoft[.]com |
management-365office-mxexchange-crosoft365[.]com |
management-365server-officecrosoft365[.]com |
microsoftexchange329e70ec88ae46-omincrosft-us17[.]com |
mw-outbound-via-msoft365-onmicorsotf[.]com |
mx365server-officecrosoft365[.]com |
mxexchange-365office-mxexchange-crosoft365[.]com |
mxsecured-365server-officecrosoft365[.]com |
office-mail-micromail-microsoft[.]com |
office-mail-onmicrosoft[.]com |
office-mailonmicrosoft-onmicrosoft[.]com |
office-onmicrosoft-onmicrosoft[.]com |
office-onmicrosoft365-onmicrosoft[.]com |
office-sprint501[.]com |
office-srlx-appstas-management-worksmailsxls-sl[.]works |
on30eon-mx[.]business |
onmcrsft-workflow-mailcloudus17-web[.]com |
onmicrosft-us06web-zoom[.]com |
ourleadership-mail-microsoft[.]com |
outbound-via-msoft365-onmicorsotf[.]com |
reply-e-mail-onmicrosoft[.]com |
reply-to-365server-officecrosoft365[.]com |
reply-to-email-omniscoft-mail[.]com |
reply-to-email-omnisofts-onlinehttps[.]com |
reply-to-emails-omnisofts-onlinehttp[.]com |
reply-to-emails-omnisofts-onlinehttps[.]com |
reply-to-mail-omnisofts-onlinehttps[.]com |
reply-to-mail-omnisofts-onlinessl[.]com |
reply-to-ominisoft-ominisoft[.]com |
reply-to-ominisoft-omnicosfts[.]com |
reply-to-omnisoft-online-tls[.]com |
reply-to-omnisoft-onlinessl[.]com |
reply-to-omnisoft-onlinhttp[.]com |
reply-to-omnisoft-onlinhttps[.]com |
reply-to-omnisoftonline-https[.]com |
reply-to-omnisofts-online-http[.]com |
reply-to-omnisofts-online-https[.]com |
reply-to-omnisofts-online-tls[.]com |
reply-to-omnisofts-onlinehttp[.]com |
reply-to-omnisofts-onlinetls[.]com |
reply-to-omnisoftsonlinetls[.]com |
reply-to-r-20233101-email-omniscoft-mail[.]com |
secured-365server-officecrosoft365[.]com |
secured-mxserver-officecrosoft365[.]com |
securesender-netsuite-safemail[.]com |
securesender-ntsuitesafemail[.]com |
send-leader-onmicrosoft[.]com |
sender-net-websuites-mails[.]com |
sender-secure-response-mail[.]management |
serv-workflow53-microsoftexchange[.]com |
serv-workflow536ec38-suites36rst10[.]com |
serv1-onmicroftsexchange-ph0pr06mc[.]com |
server-omnicrosoft365[.]com |
server-onmicrosoft[.]com |
server-onmicrosoft365-onmicrosoft[.]com |
server001-sql-management-omnicrosoft[.]com |
server1-ssl-management-omnicrosoft[.]com |
server11-ssl-management-omnicrosoft[.]com |
server66-exmini-crosoft[.]com |
server88-ssl-omnicrosoft360[.]com |
server99-omni-crosoft360[.]com |
servers-omnicrosoft365[.]com |
servers-omnnicrosoft365[.]com |
serversomnicrosoft365[.]com |
serverssl44-22-domain-omnicrosoft[.]com |
sql-omnicrosoft365[.]com |
ssl1-onmicrosoft365-sslshell[.]com |
sslsecureworkspace[.]com |
us-app02-omnisftmail-xchnge[.]com |
userzafbhnftdtc5wertyuias2lccxdfvwh-7fkdx1g-exchange[.]com |
workflow-microsoftexchange-suites[.]com |
Secondary Domains Observed in Cobalt Terrapin Fake Email Chains
accounting-bdo[.]com |
accounts-grantthornton[.]com |
acct-linkedin[.]com |
acctsreceivable-linkedin[.]com |
ar-bdo[.]com |
ar-team-zoominfo[.]com |
billing-linkedln[.]com |
billings-linkedin[.]com |
billings-zoominfo[.]com |
collection-linkedin[.]com |
collections-linkedin[.]com |
collections-oceantomo[.]com |
collectors-linkedin[.]com |
credit-collection-linkedin[.]com |
financelinkedin[.]com |
finances-linkedin[.]com |
financial-linkedin[.]com |
linkedin-billing[.]com |
linkedin-bills[.]com |
payments-thesilverlining[.]com |
receivable-bdo[.]com |
receivable-oceantomo[.]com |
receivablelinkedin[.]co |
receivablelinkedin[.]com |
receivables-kornferry[.]com |
receivables-linkedin[.]com |
receivables-oceantomo[.]com |
receiveables-crowe[.]com |
receiveables-oceantomo[.]com |
