Unlike business email compromise attacks that often ask for the recipient to send money for an unpaid invoice, this credential phishing attack takes the opposite approach—using a fake billing notification to encourage clicks. To set up this attack, the threat actors first compromised an external vendor account, potentially through the same or very similar credential phishing attack. Once access to the account was given, the attacker could use that access to see ongoing financial transactions and target existing customers. 

In the attack itself, the email states that payment has been made for an unnamed invoice, with a link to an Excel document that the recipient can click for further details. To add further legitimacy, the text states that it is a system-generated email and asks the recipient not to reply, eliminating the possibility of double-checking the legitimacy of the email with the sender. Upon click, the recipient is directed to a Microsoft 365 page that looks similar to the real one—asking them to enter their password only.

Status Bar Dots
62bb46ef68ab8e014bbd3657 1056464588
Status Bar Dots
62bb4aa88de0001b1d976af7 vendor cred phish 20220627b

Why It Bypassed Traditional Security

This email comes from a real vendor account that has a relationship with the target organization and as a result, there is nothing unusual to detect in the domain—making it easy to bypass legacy tools that look for those indicators. In addition, the URL within the email is one that has not been seen before, making it difficult for threat intelligence-based tools to detect. 

Detecting the Attack

Natural language processing enables cloud email security solutions to detect the presence of an unusual invoice or payment request, and a federated supply chain database understands when a vendor account may be compromised—across the entire customer ecosystem. Further, a behavioral system can stop attacks that use never-before-seen URLs by understanding the intent of the link. 

Risk to Organization

This email relies on the known vendor relationship and legitimate email, plus curiosity about the payment, to trick users into clicking the link—even if just to see what the document contains. Once an employee enters their Microsoft credentials, attackers have full access to the email account, which they can then use to look for sensitive information or as a launch point for other attacks on the employee’s coworkers, customers, or vendors. 

Analysis Overview

Vector

Link-based

Goal

Credential Theft

Tactic

External Compromised Account

Theme

Fake Invoice

Impersonated Party

External Party - Vendor/Supplier