BEC Group Uses Manufactured Email Threads and Brand Impersonation to Facilitate Invoice Fraud
After the recent meteoric rise in social engineering attacks, security leaders are working to better educate their workforces on how to spot and report potential threats. Unfortunately, scammers consistently remain a step ahead. By the time a company becomes adept at identifying and preventing one type of threat, attackers have already evolved their tactics to something even harder to detect.
Recently, we identified a new trend in business email compromise attacks that combines vendor impersonation and executive impersonation within a single email attack. Now, a group known as Cobalt Terrapin is consistently leveraging this tactic to deceive accounting professionals and commit invoice fraud.
Cobalt Terrapin appears to be located in Turkey and has been active since at least March 2022. The group commonly impersonates well-known vendors, like LinkedIn and ZoomInfo, and has discovered a stealthy practice for bypassing legacy security systems.
A Background on Invoice Fraud
Like many financially-motivated BEC attacks, invoice fraud occurs when cybercriminals target finance teams, impersonate an executive or vendor, and convince them to pay a fake invoice. In the case of internal vendor impersonations or reconnaissance vendor incidents, attackers pose as vendors that their targets are familiar with or currently using as part of normal business operations.
In the past, fraudsters sent simple messages and attached PDFs with realistic-looking invoices that included bank account information. But newer attacks are much more elaborate and well-researched, often containing fake email chains with the names and email addresses of real individuals at the target organization—adding legitimacy to these attacks.
Because these attacks are highly targeted and personalized, they’re virtually undetectable by conventional threat intelligence tools and yield threat actors a hefty profit. According to the most recent FBI IC3 Internet Crime Report, the average BEC attack caused more than $120,000 in losses per incident. And Abnormal research shows that invoice fraud is even higher, with attackers requesting an average of $183,000 per attack.
The Double-Pronged Approach: Examining Cobalt Terrapin’s Strategy
While many BEC attacks appear to originate from a high-ranking individual at an organization or from a well-known vendor, Cobalt Terrapin uses a new hybrid strategy that combines both tactics. This makes communications look and feel even more legitimate.
In this case, the attacker sends an email impersonating a company executive—usually the company’s CEO or CFO—using display name spoofing. They also set up a manufactured message from a vendor in the body of the email below the message from the executive making it appear like the sender is forwarding an existing thread.
The email instructs the recipient, typically a generic email address like ap[@]company.com or accounting[@]company.com to pay the outstanding invoice referenced in the manufactured email chain below. It is notable that, rather than identifying specific individuals to target, Cobalt Terrapin identifies the central accounts payable email list they can use to reach all of the employees on that list at once. In many ways, this is likely to make them more successful as they can reach multiple people at once, and it only causes one hurried or distracted employee to make the mistake.
Attackers also recognize that if an invoice looks different from usual, it might set off alarm bells to the accounting team. To address this, Cobalt Terrapin emails include a note explaining that the company has made “improvements” to its invoices as part of an “ongoing commitment to deliver a better billing experience” and recommends the recipient check out the vendor’s website to “learn more about your new invoice.”
Although these emails typically reference an attached email, attackers wait until the targeted employee responds before sending a fake invoice or W-9. This helps them bypass security tools that flag attachments as a sign of potential attacks. And given the frequency with which people forget to attach files to emails, most email users wouldn’t consider this unusual or suspicious behavior.
Using Well-Known Brand Names to Earn Trust
Another tactic Cobalt Terrapin uses to increase its legitimacy is invoking familiar, easily-recognizable brand names. For example, its domains are primarily registered with Google and include references to Microsoft, and its email addresses use lookalike domains.
In most cases, lookalike domains are registered with a different registrar at an earlier time from the domain used to send the email. Typically, they’re visually similar to the domains threat actors are attempting to spoof, such as “gooogle.com” or “LinkedIIn.com.”
In this case, spoofed emails include email domains like “sender-secure-response-mail.management” and “email-onmicrosoft365-onmicrosoft.com” which, while they are much longer than average, they rely on references to security and well-known brands to add legitimacy. And because many email programs only show senders’ display names, busy employees rarely notice if a domain name is slightly altered, misspelled, or entirely different from an impersonated sender’s other emails.
Additionally, Cobalt Terrapin commonly impersonates LinkedIn, which is meaningful for a few reasons. First, professionals are accustomed to receiving emails from LinkedIn, so the name won’t stand out as unusual. Second, many organizations leverage LinkedIn’s paid marketing and recruiting tools, and it’s not atypical to receive multiple invoices or invoices that vary in price from month to month. Third, it’s a large, well-known, and trusted brand that’s easy to co-opt for nefarious purposes. In fact, in the Abnormal H2 2022 Email Threat Report, our team found LinkedIn was the most impersonated platform in the first half of 2022.
Cobalt Terrapin uses highly convincing invoices and W-9s, which include corporate logos and legitimate corporate details, such as the organization’s real address and employee identification number (EIN). While it may seem like a lot of trouble, including these small details in spoofed documents help threat actors bypass accounting professionals’ scrutiny and allow for faster time to payment.
Protecting Your Organization from Cobalt Terrapin and Other BEC Groups
Social engineering methods like those commonly used in business email compromise attacks are growing more sophisticated because it’s becoming more challenging to fool security-aware workforces and bypass security software. But attacks like those perpetrated by Cobalt Terrapin prove scammers know how to covertly manipulate multiple email elements in their favor. The fact that they are using a combination of vendor and executive impersonation, domain spoofing, and legitimate-looking invoices shows just how far they’re willing to go run their scams.
To bolster your security, educate staff on emerging threats and remind them to always carefully examine senders’ email addresses, particularly when emails contain requests to pay invoices, transfer funds, or handle any other finance-related task. It’s also vital for email recipients to verify unusual requests through another channel, like a text message or phone call.
Unfortunately, as attacks grow in sophistication, education isn’t always enough to mitigate the risk. In addition to training your team, it’s crucial you implement more innovative and reliable email security solutions. Behavioral AI-based security can analyze email content and identities, recognize signs of an attack, and prevent malicious emails from reaching their target. This way, you can identify and block social engineering attempts your legacy systems may not catch.
Learn how Abnormal protects organizations from sophisticated and emerging attacks. Request a demo today.
Appendix: List of Domains Linked to Cobalt Terrapin BEC Campaigns
44g8y5go3k7b18uyxc2qxeybz-uk0l-send-via-net-suite[.]com |
admin-mail-settin99s[.]com |
admin-omincrosft-us10-miosft-office[.]com |
admin-omincrosft-us17-miosft-exch[.]com |
admin-rsm-rply-managements[.]xyz |
alldomainsserver-onmicrosoft-ssl-365-oserver[.]management |
alldomainsserver-onmicrosoft-sssl-365-oserver[.]management |
app02-us-mail-xchnge-365-mcrsft[.]com |
applx-xli-slxi-admins-management[.]com |
applx-xlx-phlx-management-mails[.]me |
applx-xlxi-admin-management-xls-mails[.]me |
billing-linkedln[.]com |
corps-us10-blv1-miosoft-suite[.]xyz |
cpoft[.]com |
em-rply[.]me |
email-onmicrosoft365-onmicrosoft[.]com |
emssn[.]one |
en-rply[.]me |
exch-mail-offd365-us63-mrosfs1t[.]com |
exch-office-us01-miosft1[.]com |
exch-office-us10-miosft[.]com |
exch-office-us10-miosftx1[.]com |
exech-microfts-net-suites[.]com |
executive-us10-blv1-msoft-exch[.]com |
executive-us10-webcorp-us-onmicrosoft[.]com |
leaderd1ship-us17-miosft[.]com |
leaderd1ship-us18-miosft[.]com |
leadership-sent-onmicrosoft[.]com |
leadershippostmicrosoft[.]com |
mail-ex-onmicrosoft[.]com |
mail-exch-offd365-us21-mrosfst[.]com |
mail-exch-us21-app02-omn0sft365-off-svr[.]com |
mail-mx-onmicrosoft[.]com |
mail-ominicrosft-leadership[.]com |
mail-omnicrosroft-exch[.]com |
mail-reply-a-onmicrosoft[.]com |
mail-reply-c-onmicrosoft[.]com |
mail-reply-e-onmicrosoft[.]com |
mail-reply-im-onmicrosoft[.]com |
mail-reply-n-onmicrosoft[.]com |
mail-work2apps-xllz2mall-manaqement[.]com |
mailing-officemangemnt-mail[.]me |
mails-1102-omnisoft[.]com |
management-365office-mxexchange-crosoft365[.]com |
management-365server-officecrosoft365[.]com |
microsoftexchange329e70ec88ae46-omincrosft-us17[.]com |
mw-outbound-via-msoft365-onmicorsotf[.]com |
mx365server-officecrosoft365[.]com |
mxexchange-365office-mxexchange-crosoft365[.]com |
mxsecured-365server-officecrosoft365[.]com |
office-mail-micromail-microsoft[.]com |
office-mail-onmicrosoft[.]com |
office-mailonmicrosoft-onmicrosoft[.]com |
office-onmicrosoft-onmicrosoft[.]com |
office-onmicrosoft365-onmicrosoft[.]com |
office-sprint501[.]com |
office-srlx-appstas-management-worksmailsxls-sl[.]works |
on30eon-mx[.]business |
onmcrsft-workflow-mailcloudus17-web[.]com |
onmicrosft-us06web-zoom[.]com |
ourleadership-mail-microsoft[.]com |
outbound-via-msoft365-onmicorsotf[.]com |
reply-e-mail-onmicrosoft[.]com |
reply-to-365server-officecrosoft365[.]com |
reply-to-email-omniscoft-mail[.]com |
reply-to-email-omnisofts-onlinehttps[.]com |
reply-to-emails-omnisofts-onlinehttp[.]com |
reply-to-emails-omnisofts-onlinehttps[.]com |
reply-to-mail-omnisofts-onlinehttps[.]com |
reply-to-mail-omnisofts-onlinessl[.]com |
reply-to-ominisoft-ominisoft[.]com |
reply-to-ominisoft-omnicosfts[.]com |
reply-to-omnisoft-online-tls[.]com |
reply-to-omnisoft-onlinessl[.]com |
reply-to-omnisoft-onlinhttp[.]com |
reply-to-omnisoft-onlinhttps[.]com |
reply-to-omnisoftonline-https[.]com |
reply-to-omnisofts-online-http[.]com |
reply-to-omnisofts-online-https[.]com |
reply-to-omnisofts-online-tls[.]com |
reply-to-omnisofts-onlinehttp[.]com |
reply-to-omnisofts-onlinetls[.]com |
reply-to-omnisoftsonlinetls[.]com |
reply-to-r-20233101-email-omniscoft-mail[.]com |
secured-365server-officecrosoft365[.]com |
secured-mxserver-officecrosoft365[.]com |
securesender-netsuite-safemail[.]com |
securesender-ntsuitesafemail[.]com |
send-leader-onmicrosoft[.]com |
sender-net-websuites-mails[.]com |
sender-secure-response-mail[.]management |
serv-workflow53-microsoftexchange[.]com |
serv-workflow536ec38-suites36rst10[.]com |
serv1-onmicroftsexchange-ph0pr06mc[.]com |
server-omnicrosoft365[.]com |
server-onmicrosoft[.]com |
server-onmicrosoft365-onmicrosoft[.]com |
server001-sql-management-omnicrosoft[.]com |
server1-ssl-management-omnicrosoft[.]com |
server11-ssl-management-omnicrosoft[.]com |
server66-exmini-crosoft[.]com |
server88-ssl-omnicrosoft360[.]com |
server99-omni-crosoft360[.]com |
servers-omnicrosoft365[.]com |
servers-omnnicrosoft365[.]com |
serversomnicrosoft365[.]com |
serverssl44-22-domain-omnicrosoft[.]com |
sql-omnicrosoft365[.]com |
ssl1-onmicrosoft365-sslshell[.]com |
sslsecureworkspace[.]com |
us-app02-omnisftmail-xchnge[.]com |
userzafbhnftdtc5wertyuias2lccxdfvwh-7fkdx1g-exchange[.]com |
workflow-microsoftexchange-suites[.]com |
Secondary Domains Observed in Cobalt Terrapin Fake Email Chains
accounting-bdo[.]com |
accounts-grantthornton[.]com |
acct-linkedin[.]com |
acctsreceivable-linkedin[.]com |
ar-bdo[.]com |
ar-team-zoominfo[.]com |
billing-linkedln[.]com |
billings-linkedin[.]com |
billings-zoominfo[.]com |
collection-linkedin[.]com |
collections-linkedin[.]com |
collections-oceantomo[.]com |
collectors-linkedin[.]com |
credit-collection-linkedin[.]com |
financelinkedin[.]com |
finances-linkedin[.]com |
financial-linkedin[.]com |
linkedin-billing[.]com |
linkedin-bills[.]com |
payments-thesilverlining[.]com |
receivable-bdo[.]com |
receivable-oceantomo[.]com |
receivablelinkedin[.]co |
receivablelinkedin[.]com |
receivables-kornferry[.]com |
receivables-linkedin[.]com |
receivables-oceantomo[.]com |
receiveables-crowe[.]com |
receiveables-oceantomo[.]com |