Stopping Vendor Email Compromise in Action: How Abnormal Detected a $36M Attack

Vendor email compromise, the most dangerous type of business email compromise, is a uniquely dangerous cybersecurity threat that is continuing to grow in both frequency and severity. In fact, two-thirds of all organizations are targeted by email attacks that use a compromised or impersonated third-party account each quarter.

Unlike traditional business email compromise that impersonates an executive, a VEC attack occurs when a threat actor either gains control of a vendor email account or impersonates a trusted vendor in an attempt to execute an invoice scam or other financial fraud. These attacks are highly successful because they exploit the trust and existing relationships between vendors and customers through personalization and social engineering. And because your vendors often discuss invoices and payments, these attacks rarely seem abnormal—unlike the gift card requests from the CEO that were so popular when business email compromise originated.

VEC attacks often ask the recipient to pay an overdue or outstanding invoice or update billing account details so the next payment is sent to a fraudulent bank account. In the most egregious instances, they hijack an ongoing conversation and change details inline—right before the money is sent.

And because these attacks use known identities, they can be incredibly difficult to detect. Even the most cybersecurity-aware employees can find themselves fooled by these advanced threat tactics that lead to lost revenue. And we’re not talking about payments in the hundreds or thousands of dollars…

Abnormal recently detected an attempted VEC attack that sought to steal $36 million from the target. You read that right… $36 MILLION. Here’s what that looked like.

The enterprise received this email from a threat actor who was impersonating a VIP, the Senior Vice President & General Counsel, from a trusted partner company with whom it has a long-term relationship. Using a lookalike domain [.cam], the attacker sent an invoice and wiring instructions with fraudulent payment details in an attempt to redirect a $36 million loan payment to themselves.

Additionally, to further bolster their credibility, the attacker cc’d a second well-known real estate investment company on the email, again, using an address ending in [.cam], another newly created domain. Because the Abnormal customer involved in this attack works in commercial real estate where they often facilitate large-sum loans, and the invoice appeared to be legitimate with legitimate recipients, there was little reason for immediate concern about the validity of the wire transfer request.

The attacker invoice, which was sent on forged company letterhead, outlines falsified loan information, including interest rates, repayment amounts, and other sensitive financial details.

The email also included a document with wiring details. In fact, the only piece of this email that was different from what the target would typically expect in an invoice was the wiring instructions, which directed the recipient to submit payment to a company called Forever Home Title in Tampa, Florida.

Extremely close inspection of the wiring instructions shows minor discrepancies, like the “Reference: Name,” instead of “Reference Name” and the missing state in the disclaimer text. But again, only someone who was expecting an attack would likely look for these minor issues.

Despite this email looking legitimate to the end user, the Abnormal platform noticed a number of anomalies. First, the two lookalike domains use [.cam] rather than [.com] and both were less than one week old. The first fraudulent domain was registered in Iceland on October 12, 2022—the day the attack began. Our advanced models flag newly-registered domains, as they are often an indicator of suspicious activity, typically created right after a threat actor identifies his target and starts his scheme.

Additionally, our models detected that this was a high-value invoice (above $10,000) and included new billing instructions, as well as language about the transaction being diverted to a different bank account. Vendor fraud is commonly initiated this way—an attacker will say something along the lines of, “we have a new bank account and need you to send this invoice to this new account instead of what has previously been used.”

Further, behavioral AI also detected irregular language patterns in the body of the email, which is traditionally associated with credential fraud and financial theft.

The totality of these signals was suspicious enough for Abnormal to take action by detecting and remediating the attack. However, since the Abnormal customer was actually cc’d on the email rather than the direct recipient, we are unable to determine if the original recipient (a non-customer) was protected or if the invoice was in fact paid out.

As attackers shift from executive impersonation to vendor fraud and increase their payment requests, the need for security leaders to keep their organizations safe increases. A key piece of the security toolbelt should include technology that can detect novel, never-before-seen attacks that do not contain traditional indicators of compromise. Because modern supply chain attacks use seemingly genuine messages, traditional tools which look for indicators like malicious attachments are becoming less effective.

Using our behavioral AI, machine learning models, natural language processing, and VendorBase, Abnormal establishes a baseline of communication patterns, tracks invoice information, and analyzes the relationships between vendors and their customers. By understanding normal behavior, Abnormal can detect when changes have occurred across the supply chain and use that risk information to make decisions on incoming messages. And because VendorBase is a federated database across all Abnormal customers, it ensures that you’re protected from potentially dangerous vendors, even if your organization has not been targeted directly.

With Abnormal, preventing supply chain compromise is easy and does not require manual configuration. Our cloud-native, API-based approach prevents any delay in email delivery time, and all inspection and scanning are performed in memory. So no matter who targets you, and whether that fake payment is for a few hundred dollars or a few million, Abnormal has you covered.

Interested in learning more about how Abnormal can protect your organization from vendor fraud?