Executive Impersonation and Vendor Invoice Fraud

Quick Summary:

  • Platform: Office 365
  • Mailboxes: >50,000
  • Email Gateway: IronPort
  • Email Security Bypassed: ATP
  • Victims: Accounting Employee
  • Payload: Invoice attachment
  • Technique: Executive Impersonation

What was the attack?

  • Setup: The attacker posed as an executive at the organization and asked an employee in accounting to pay an invoice, but failed to attach the invoice to the initial email (which may have been intentional to fool traditional email security systems by starting the conversation). The employee in accounting responded to the initial email.

  • Email Attack: After the accounting employee responded, the attacker followed up with an email that included an attachment with a fake invoice, with a request to pay that invoice immediately.

  • Payload: The attacker created a legitimate-looking invoice with dummy banking information that would have routed the wire transfer to a bank account under their control.
  • Result: Had the employee paid this invoice, the attacker would have stolen nearly $43,000 from the targeted organization.

Why is this attack effective?

  • Familiarity: The attacker posed as an executive communicating with a low-level employee. The low-level employee would have recognized the name and thus would have been more likely to engage with the attacker.
  • Urgency: The attacker, posing as an executive, asked a low-level employee to pay the invoice immediately. This urgency often causes employees to forego the scrutiny they should be giving email requests like this.
  • Safe Reputation: The attacker was able to bypass Microsoft EOP + ATP by using new or existing domains that did not have negative reputation on the domains.
  • Legitimate (looking) invoice: The invoice created by the attacker looks like a legitimate invoice from a real vendor.


Abnormal Attack Stories are real world examples of attacks that we’ve seen in the wild.

Related content

Leave a Comment