Abstract Purple Hills

BEC Group Uses Manufactured Email Threads and Brand Impersonation to Facilitate Invoice Fraud

October 4, 2022

After the recent meteoric rise in social engineering attacks, security leaders are working to better educate their workforces on how to spot and report potential threats. Unfortunately, scammers consistently remain a step ahead. By the time a company becomes adept at identifying and preventing one type of threat, attackers have already evolved their tactics to something even harder to detect.

Recently, we identified a new trend in business email compromise attacks that combines vendor impersonation and executive impersonation within a single email attack. Now, a group known as Cobalt Terrapin is consistently leveraging this tactic to deceive accounting professionals and commit invoice fraud.

Cobalt Terrapin appears to be located in Turkey and has been active since at least March 2022. The group commonly impersonates well-known vendors, like LinkedIn and ZoomInfo, and has discovered a stealthy practice for bypassing legacy security systems.

A Background on Invoice Fraud

Like many financially-motivated BEC attacks, invoice fraud occurs when cybercriminals target finance teams, impersonate an executive or vendor, and convince them to pay a fake invoice. In the case of internal vendor impersonations or reconnaissance vendor incidents, attackers pose as vendors that their targets are familiar with or currently using as part of normal business operations.

In the past, fraudsters sent simple messages and attached PDFs with realistic-looking invoices that included bank account information. But newer attacks are much more elaborate and well-researched, often containing fake email chains with the names and email addresses of real individuals at the target organization—adding legitimacy to these attacks.

Because these attacks are highly targeted and personalized, they’re virtually undetectable by conventional threat intelligence tools and yield threat actors a hefty profit. According to the most recent FBI IC3 Internet Crime Report, the average BEC attack caused more than $120,000 in losses per incident. And Abnormal research shows that invoice fraud is even higher, with attackers requesting an average of $183,000 per attack.

The Double-Pronged Approach: Examining Cobalt Terrapin’s Strategy

While many BEC attacks appear to originate from a high-ranking individual at an organization or from a well-known vendor, Cobalt Terrapin uses a new hybrid strategy that combines both tactics. This makes communications look and feel even more legitimate.

In this case, the attacker sends an email impersonating a company executive—usually the company’s CEO or CFO—using display name spoofing. They also set up a manufactured message from a vendor in the body of the email below the message from the executive making it appear like the sender is forwarding an existing thread.

The email instructs the recipient, typically a generic email address like ap[@]company.com or accounting[@]company.com to pay the outstanding invoice referenced in the manufactured email chain below. It is notable that, rather than identifying specific individuals to target, Cobalt Terrapin identifies the central accounts payable email list they can use to reach all of the employees on that list at once. In many ways, this is likely to make them more successful as they can reach multiple people at once, and it only causes one hurried or distracted employee to make the mistake.

Cobalt terrapin email

Example of an Initial Cobalt Terrapin Email

Attackers also recognize that if an invoice looks different from usual, it might set off alarm bells to the accounting team. To address this, Cobalt Terrapin emails include a note explaining that the company has made “improvements” to its invoices as part of an “ongoing commitment to deliver a better billing experience” and recommends the recipient check out the vendor’s website to “learn more about your new invoice.”

Although these emails typically reference an attached email, attackers wait until the targeted employee responds before sending a fake invoice or W-9. This helps them bypass security tools that flag attachments as a sign of potential attacks. And given the frequency with which people forget to attach files to emails, most email users wouldn’t consider this unusual or suspicious behavior.

Cobalt terrapin response

Example of a Cobalt Terrapin Email Response Containing Fake Invoice and W-9 Attachments

Using Well-Known Brand Names to Earn Trust

Another tactic Cobalt Terrapin uses to increase its legitimacy is invoking familiar, easily-recognizable brand names. For example, its domains are primarily registered with Google and include references to Microsoft, and its email addresses use lookalike domains.

In most cases, lookalike domains are registered with a different registrar at an earlier time from the domain used to send the email. Typically, they’re visually similar to the domains threat actors are attempting to spoof, such as “gooogle.com” or “LinkedIIn.com.”

In this case, spoofed emails include email domains like “sender-secure-response-mail.management” and “email-onmicrosoft365-onmicrosoft.com” which, while they are much longer than average, they rely on references to security and well-known brands to add legitimacy. And because many email programs only show senders’ display names, busy employees rarely notice if a domain name is slightly altered, misspelled, or entirely different from an impersonated sender’s other emails.


Additionally, Cobalt Terrapin commonly impersonates LinkedIn, which is meaningful for a few reasons. First, professionals are accustomed to receiving emails from LinkedIn, so the name won’t stand out as unusual. Second, many organizations leverage LinkedIn’s paid marketing and recruiting tools, and it’s not atypical to receive multiple invoices or invoices that vary in price from month to month. Third, it’s a large, well-known, and trusted brand that’s easy to co-opt for nefarious purposes. In fact, in the Abnormal H2 2022 Email Threat Report, our team found LinkedIn was the most impersonated platform in the first half of 2022.

Cobalt terrapin invoice w9

Sample Fake Invoice and W-9 Used by Cobalt Terrapin

Cobalt Terrapin uses highly convincing invoices and W-9s, which include corporate logos and legitimate corporate details, such as the organization’s real address and employee identification number (EIN). While it may seem like a lot of trouble, including these small details in spoofed documents help threat actors bypass accounting professionals’ scrutiny and allow for faster time to payment.

Protecting Your Organization from Cobalt Terrapin and Other BEC Groups

Social engineering methods like those commonly used in business email compromise attacks are growing more sophisticated because it’s becoming more challenging to fool security-aware workforces and bypass security software. But attacks like those perpetrated by Cobalt Terrapin prove scammers know how to covertly manipulate multiple email elements in their favor. The fact that they are using a combination of vendor and executive impersonation, domain spoofing, and legitimate-looking invoices shows just how far they’re willing to go run their scams.

To bolster your security, educate staff on emerging threats and remind them to always carefully examine senders’ email addresses, particularly when emails contain requests to pay invoices, transfer funds, or handle any other finance-related task. It’s also vital for email recipients to verify unusual requests through another channel, like a text message or phone call.

Unfortunately, as attacks grow in sophistication, education isn’t always enough to mitigate the risk. In addition to training your team, it’s crucial you implement more innovative and reliable email security solutions. Behavioral AI-based security can analyze email content and identities, recognize signs of an attack, and prevent malicious emails from reaching their target. This way, you can identify and block social engineering attempts your legacy systems may not catch.

Learn how Abnormal protects organizations from sophisticated and emerging attacks. Request a demo today.

Appendix: List of Domains Linked to Cobalt Terrapin BEC Campaigns

44g8y5go3k7b18uyxc2qxeybz-uk0l-send-via-net-suite[.]com

admin-mail-settin99s[.]com

admin-omincrosft-us10-miosft-office[.]com

admin-omincrosft-us17-miosft-exch[.]com

admin-rsm-rply-managements[.]xyz

alldomainsserver-onmicrosoft-ssl-365-oserver[.]management

alldomainsserver-onmicrosoft-sssl-365-oserver[.]management

app02-us-mail-xchnge-365-mcrsft[.]com

applx-xli-slxi-admins-management[.]com

applx-xlx-phlx-management-mails[.]me

applx-xlxi-admin-management-xls-mails[.]me

billing-linkedln[.]com

corps-us10-blv1-miosoft-suite[.]xyz

cpoft[.]com

em-rply[.]me

email-onmicrosoft365-onmicrosoft[.]com

emssn[.]one

en-rply[.]me

exch-mail-offd365-us63-mrosfs1t[.]com

exch-office-us01-miosft1[.]com

exch-office-us10-miosft[.]com

exch-office-us10-miosftx1[.]com

exech-microfts-net-suites[.]com

executive-us10-blv1-msoft-exch[.]com

executive-us10-webcorp-us-onmicrosoft[.]com

leaderd1ship-us17-miosft[.]com

leaderd1ship-us18-miosft[.]com

leadership-sent-onmicrosoft[.]com

leadershippostmicrosoft[.]com

mail-ex-onmicrosoft[.]com

mail-exch-offd365-us21-mrosfst[.]com

mail-exch-us21-app02-omn0sft365-off-svr[.]com

mail-mx-onmicrosoft[.]com

mail-ominicrosft-leadership[.]com

mail-omnicrosroft-exch[.]com

mail-reply-a-onmicrosoft[.]com

mail-reply-c-onmicrosoft[.]com

mail-reply-e-onmicrosoft[.]com

mail-reply-im-onmicrosoft[.]com

mail-reply-n-onmicrosoft[.]com

mail-work2apps-xllz2mall-manaqement[.]com

mailing-officemangemnt-mail[.]me

mails-1102-omnisoft[.]com

management-365office-mxexchange-crosoft365[.]com

management-365server-officecrosoft365[.]com

microsoftexchange329e70ec88ae46-omincrosft-us17[.]com

mw-outbound-via-msoft365-onmicorsotf[.]com

mx365server-officecrosoft365[.]com

mxexchange-365office-mxexchange-crosoft365[.]com

mxsecured-365server-officecrosoft365[.]com

office-mail-micromail-microsoft[.]com

office-mail-onmicrosoft[.]com

office-mailonmicrosoft-onmicrosoft[.]com

office-onmicrosoft-onmicrosoft[.]com

office-onmicrosoft365-onmicrosoft[.]com

office-sprint501[.]com

office-srlx-appstas-management-worksmailsxls-sl[.]works

on30eon-mx[.]business

onmcrsft-workflow-mailcloudus17-web[.]com

onmicrosft-us06web-zoom[.]com

ourleadership-mail-microsoft[.]com

outbound-via-msoft365-onmicorsotf[.]com

reply-e-mail-onmicrosoft[.]com

reply-to-365server-officecrosoft365[.]com

reply-to-email-omniscoft-mail[.]com

reply-to-email-omnisofts-onlinehttps[.]com

reply-to-emails-omnisofts-onlinehttp[.]com

reply-to-emails-omnisofts-onlinehttps[.]com

reply-to-mail-omnisofts-onlinehttps[.]com

reply-to-mail-omnisofts-onlinessl[.]com

reply-to-ominisoft-ominisoft[.]com

reply-to-ominisoft-omnicosfts[.]com

reply-to-omnisoft-online-tls[.]com

reply-to-omnisoft-onlinessl[.]com

reply-to-omnisoft-onlinhttp[.]com

reply-to-omnisoft-onlinhttps[.]com

reply-to-omnisoftonline-https[.]com

reply-to-omnisofts-online-http[.]com

reply-to-omnisofts-online-https[.]com

reply-to-omnisofts-online-tls[.]com

reply-to-omnisofts-onlinehttp[.]com

reply-to-omnisofts-onlinetls[.]com

reply-to-omnisoftsonlinetls[.]com

reply-to-r-20233101-email-omniscoft-mail[.]com

secured-365server-officecrosoft365[.]com

secured-mxserver-officecrosoft365[.]com

securesender-netsuite-safemail[.]com

securesender-ntsuitesafemail[.]com

send-leader-onmicrosoft[.]com

sender-net-websuites-mails[.]com

sender-secure-response-mail[.]management

serv-workflow53-microsoftexchange[.]com

serv-workflow536ec38-suites36rst10[.]com

serv1-onmicroftsexchange-ph0pr06mc[.]com

server-omnicrosoft365[.]com

server-onmicrosoft[.]com

server-onmicrosoft365-onmicrosoft[.]com

server001-sql-management-omnicrosoft[.]com

server1-ssl-management-omnicrosoft[.]com

server11-ssl-management-omnicrosoft[.]com

server66-exmini-crosoft[.]com

server88-ssl-omnicrosoft360[.]com

server99-omni-crosoft360[.]com

servers-omnicrosoft365[.]com

servers-omnnicrosoft365[.]com

serversomnicrosoft365[.]com

serverssl44-22-domain-omnicrosoft[.]com

sql-omnicrosoft365[.]com

ssl1-onmicrosoft365-sslshell[.]com

sslsecureworkspace[.]com

us-app02-omnisftmail-xchnge[.]com

userzafbhnftdtc5wertyuias2lccxdfvwh-7fkdx1g-exchange[.]com

workflow-microsoftexchange-suites[.]com

Secondary Domains Observed in Cobalt Terrapin Fake Email Chains

accounting-bdo[.]com

accounts-grantthornton[.]com

acct-linkedin[.]com

acctsreceivable-linkedin[.]com

ar-bdo[.]com

ar-team-zoominfo[.]com

billing-linkedln[.]com

billings-linkedin[.]com

billings-zoominfo[.]com

collection-linkedin[.]com

collections-linkedin[.]com

collections-oceantomo[.]com

collectors-linkedin[.]com

credit-collection-linkedin[.]com

financelinkedin[.]com

finances-linkedin[.]com

financial-linkedin[.]com

linkedin-billing[.]com

linkedin-bills[.]com

payments-thesilverlining[.]com

receivable-bdo[.]com

receivable-oceantomo[.]com

receivablelinkedin[.]co

receivablelinkedin[.]com

receivables-kornferry[.]com

receivables-linkedin[.]com

receivables-oceantomo[.]com

receiveables-crowe[.]com

receiveables-oceantomo[.]com

 

See the Abnormal Solution to the Email Security Problem

Protect your organization from the full spectrum of email attacks with Abnormal.

See a Demo
 
Integrates Insights Reporting 09 08 22

Related Posts

B 1500x1500 Types of Email Platform Attacks L1 R2
Discover the most common types of email platform attacks in your cloud network and how you can prevent them.
Read More
B 1500x1500 Lilac Wolverine L1 R1
Threat group Lilac Wolverine is fine-tuning the art of exploiting people’s willingness to help others in some of the largest gift card attacks we've seen.
Read More
B 1500x1500 Modern Email Attacks Webinar Series L4 R2
Our Modern Email Attacks series has wrapped! Here are some of the biggest takeaways from Chris Krebs, Troy Hunt, and Theresa Payton.
Read More
B 1500x1500 Gartner Insights L1 R1
See our commitment to providing our customers with the best possible solution and support with these reviews from Gartner® Peer Insights™.
Read More
B 11 14 22 SPM Launch Blog Graphics
Security Posture Management gives organizations insight into cloud configuration risks and gaps across user and app privileges.
Read More
B 11 14 22 SPM Launch Blog 2
Cloud email platforms enable better collaboration, but they also create new entry points, making sensitive data more accessible to attackers.
Read More
B 1500x1500 Q3 Ransomeware L1 R2
This post explores the continuation of the sharp decline in ransomware attacks as well as a few other notable data points from Q3 2022.
Read More
B 10 05 22 Cloud Email Security Platform Essentials
Learn the 7 key capabilities a cloud email security platform should have in order to address and resolve common email security challenges.
Read More
B 11 07 22 Valimail
Discover the benefits of a modern, best-of-breed solution to email security with Abnormal Security and Valimail’s New Partnership.
Read More