On this page:
Attack Spotlight
April 3, 2025
Fraud attempt with vendor impersonation, a fake thread, and business email compromise.
Sublime’s Attack Spotlight series is designed to keep you informed of the email threat landscape by showing you real, in-the-wild attack samples, describing adversary tactics and techniques, and explaining how they’re detected. These attacks can be prevented with a free Sublime account.
EMAIL PROVIDER: Google Workspace
ATTACK TYPE: BEC/Fraud
In a recent fraud attempt detected by Sublime, an attacker combined vendor impersonation, business email compromise (BEC), and a realistic-looking thread in an attempt to divert a $500K invoice payment.
What makes this case especially compelling is that the attacker didn’t simply fabricate a fake thread. Instead, they likely used intelligence gathered from a prior compromise or phishing attack targeting the vendor they wanted to impersonate for the larger phishing campaign. Here’s an overview of the process:
The target received a seemingly legitimate email referencing a recent invoice. It requested confirmation of updated ACH banking details and included what appeared to be a forwarded thread of the original invoice. Everything looked normal at first glance, including the branding, sender name, and invoice details, but one thing was off – the sender’s email came from a lookalike domain.
Here’s what makes this fraud attempt so convincing:
ascentshvac[.]com
. The company being impersonated has the domain ascenthvac[.]com
. The added s
is very easy for a human to overlook (even the best can fall for it).Sublime's AI-powered detection engine prevented this attack. Some of the top signals for this attack were:
ascentshvac[.]com
is a lookalike of the legitimate ascenthvac[.]com
domain mentioned in the email body and signature.See the full Message Query Language (MQL) of the Detection Rule that caught the lookalike domain: Suspected lookalike domain with suspicious language
Lookalike domains are a common technique for delivering an attack because humans aren’t great at spotting them. That’s why the most effective email security platforms are adaptive, using AI and machine learning to shine a spotlight on seemingly minor discrepancies.
If you enjoyed this Attack Spotlight, be sure to check our blog every week for new blogs, subscribe to our RSS feed, or sign up for our monthly newsletter. Our newsletter covers the latest blogs, detections, product updates, and more.
Read more Attack Spotlights:
Sublime releases, detections, blogs, events, and more directly to your inbox.
The latest research, attack spotlights, and product updates.
Experience Sublime’s adaptable email security platform and take control of your email environment today.