Fake invoice used to conduct $16,800 BEC attempt

Sublime’s Attack Spotlight series is designed to keep you informed of the email threat landscape by showing you real, in-the-wild attack samples, describing adversary tactics and techniques, and explaining how they’re detected.

EMAIL PROVIDER: Microsoft 365, Google Workspace

ATTACK TYPE: BEC (Business Email Compromise)

The attack

Attempts to conduct fraud by soliciting a payment for a seemingly legitimate overdue invoice. Messages are highly personalized and targeted:

• The PDF attachment of the invoice contains the target organization’s name and real mailing address
• The sender impersonates a VIP within the organization
• Messages target the CFO or individuals within the finance department.

The attached PDF also contains a fabricated W-9 form with a fake SSN, signed by a fictitious persona. Attachment: Inv no# 000635238.pdf.

Detection signals

Sublime detected and prevented this attack using the following top signals:

• Fake invoice: The messages contain a fake invoice embedded within the message body, as well as attached to the message as a PDF. The PDF is highly personalized to the target organization
• Fake thread: A fake forwarded message is used to add legitimacy and urgency
• BEC lanugage: The message contains language resembling a BEC (Business Email Compromise) attack, which is detected using our Natural Language Understanding (NLU) model
• VIP impersonation: The attacker impersonates the organization’s CEO or other VIPs
• New domain: Some, but not all, sender domains observed in this campaign were registered within the last 30 days

Sublime detects and prevents BEC and other email based threats. Deploy an instance in alert-only mode.