$500K financial fraud built on BEC, a domain lookalike, and a fake thread

Sublime’s Attack Spotlight series is designed to keep you informed of the email threat landscape by showing you real, in-the-wild attack samples, describing adversary tactics and techniques, and explaining how they’re detected. These attacks can be prevented with a free Sublime account.

EMAIL PROVIDER: Google Workspace

ATTACK TYPE: BEC/Fraud

In a recent fraud attempt detected by Sublime, an attacker combined vendor impersonation, business email compromise (BEC), and a realistic-looking thread in an attempt to divert a $500K invoice payment.

What makes this case especially compelling is that the attacker didn’t simply fabricate a fake thread. Instead, they likely used intelligence gathered from a prior compromise or phishing attack targeting the vendor they wanted to impersonate for the larger phishing campaign. Here’s an overview of the process:

1. Identify a target for a phishing attack.
2. Identify a vendor that works with the target.
3. Compromise or phish the vendor to steal a real thread between the vendor and the target.
4. Use the real thread to create a realistic fake thread to send to the target.

Anatomy of an attack

The target received a seemingly legitimate email referencing a recent invoice. It requested confirmation of updated ACH banking details and included what appeared to be a forwarded thread of the original invoice. Everything looked normal at first glance, including the branding, sender name, and invoice details, but one thing was off – the sender’s email came from a lookalike domain.

Here’s what makes this fraud attempt so convincing:

• Real sender company: Ascent Inc. is a real company. The sender being impersonated in the message is a real person that works for that company. The attacker would have determined all of this information during the reconnaissance phase of the attack.
• Weaponized invoice: The attacker leveraged a legitimate invoice from the real vendor to create a sense of trust and urgency. By referencing the invoice in a fabricated message that claims updated ACH details were sent due to a banking issue, the attacker aims to trick the target into responding and ultimately rerouting the payment to an attacker-controlled account.
• Realistic thread: The thread was created based on the original invoice which features all of the correct branding and company information. The callback information has been updated to an attacker-owned number.
• Lookalike sender domain: This email was sent from a person at ascentshvac[.]com. The company being impersonated has the domain ascenthvac[.]com. The added s is very easy for a human to overlook (even the best can fall for it).

Detection signals

Sublime's AI-powered detection engine prevented this attack. Some of the top signals for this attack were:

• Lookalike domain: Sender domain ascentshvac[.]com is a lookalike of the legitimate ascenthvac[.]com domain mentioned in the email body and signature.
• Newly registered sender domain: The sender's domain is suspicious because it was registered in the past 14 days. Registering new domains is a common tactic used to conduct attacks.
• Fake thread: The sender’s domain has never contacted the receiving company before, but the message contains a thread meant to indicate previous contact.
• BEC/fraud indicators with urgency: The message contains a request to change the payment destination of a high-value invoice. The language within the message and the falsified thread create a sense of urgency.

See the full Message Query Language (MQL) of the Detection Rule that caught the lookalike domain: Suspected lookalike domain with suspicious language

Keep an eye out for lookalikes

Lookalike domains are a common technique for delivering an attack because humans aren’t great at spotting them. That’s why the most effective email security platforms are adaptive, using AI and machine learning to shine a spotlight on seemingly minor discrepancies.

If you enjoyed this Attack Spotlight, be sure to check our blog every week for new blogs, subscribe to our RSS feed, or sign up for our monthly newsletter. Our newsletter covers the latest blogs, detections, product updates, and more.

Read more Attack Spotlights:

• Tycoon 2FA credential phishing with cloned internal employee login
• Microsoft OAuth URL used as redirect to AITM credential phishing site
• Seeing both sides of a service abuse financial fraud using YOPmail disposable messages