Fake invoice used to conduct $16,800 BEC attempt

Sublime Threat Detection

June 26, 2024

Sublime Security Attack Spotlight: Attempts to conduct fraud by soliciting a payment for a seemingly legitimate overdue invoice.

Take control of your email environment

Deploy Sublime for Free
Request Demo

Sublime’s Attack Spotlight series is designed to keep you informed of the email threat landscape by showing you real, in-the-wild attack samples, describing adversary tactics and techniques, and explaining how they’re detected.

EMAIL PROVIDER: Microsoft 365, Google Workspace

ATTACK TYPE: BEC (Business Email Compromise)

The Attack

Attempts to conduct fraud by soliciting a payment for a seemingly legitimate overdue invoice. Messages are highly personalized and targeted:

  • The PDF attachment of the invoice contains the target organization’s name and real mailing address
  • The sender impersonates a VIP within the organization
  • Messages target the CFO or individuals within the finance department.

The attached PDF also contains a fabricated W-9 form with a fake SSN, signed by a fictitious persona. Attachment: Inv no# 000635238.pdf.

Detection signals

Sublime detected and prevented this attack using the following top signals:


The messages contain a fake invoice embedded within the message body, as well as attached to the message as a PDF. The PDF is highly personalized to the target organization


A fake forwarded message is used to add legitimacy and urgency


The message contains language resembling a BEC (Business Email Compromise) attack, which is detected using our Natural Language Understanding (NLU) model


The attacker impersonates the organization’s CEO or other VIPs


Some, but not all, sender domains observed in this campaign were registered within the last 30 days‍

Sublime detects and prevents BEC and other email based threats. Deploy an instance in alert-only mode.

Back to Blog

Gain insight into the latest email security trends, the threat landscape, and detection strategies.

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.