This attack impersonates an attorney at a UK-based law firm, requesting payment for an invoice that is supposedly 180 days overdue. Both the impersonated attorney and the law firm are actual entities, giving the attack a sense of legitimacy if a recipient searched for them. The email was sent from an address hosted on a domain that was registered to look very similar to the firm’s actual domain. The details in the email signature appear to be consistent with the UK office of the law firm.

Status Bar Dots
Third Party Impersonation Lookalike Email Address

Why It Bypassed Traditional Security

The email itself does not have a malicious payload in the form of links or attachments, preventing traditional threat intelligence-based tools from detecting indications of compromise. The domain hosting the attacker’s email address is valid and has not been previously flagged as being used for malicious purposes.

Detecting the Attack

Detecting invoice-related requests is possible through content analysis, and can indicate when an email needs to be analyzed further. The domain used in this case was registered shortly before the attack, indicating its potential use for malicious purposes. Understanding legitimate vendor domains allows a cloud email security solution to flag a lookalike domain as fraudulent and block the attack before it reaches users.

Risk to Organization

The target would pay the attacker the invoice amount if this vendor impersonation attack succeeds, potentially costing hundreds of thousands of dollars. Because the email address used by the attacker is hosted on a domain that looks very similar to the impersonated sender’s actual domain, an employee may easily mistake the email as coming from a legitimate address.

Analysis Overview

Vector

Text-based

Goal

Payment Fraud

Tactic

Look-alike Domain
Spoofed Display Name

Theme

Overdue Payment

Impersonated Party

External Party - Vendor/Supplier