VEC Attacks on Replay: Attackers Use the Same Message to Target Victims in Critical Infrastructure

Vendor email compromise (VEC) is a sophisticated and dangerous email threat that is continuing to grow. In fact, over the last year, the likelihood of an organization receiving a VEC attack increased from around 45% in June 2022—already a concerning figure—to nearly 70% in May 2023.

VEC is a variation of business email compromise (BEC)—the $51 billion dollar cyberthreat. But while BEC attacks typically impersonate trusted individuals within the victim’s own organization like the CEO, VEC attacks take this a step further by impersonating an individual at a trusted vendor organization. Whether through a spoofed or compromised account, VEC attackers use social engineering tactics to convince their victim to take an action, usually finance-related, like wiring a fake payment or changing future payments to be deposited into a new bank account set up by the threat actor.

VEC attacks are among the most successful social engineering attacks because they capitalize the trusted relationships between customers and their vendors. You're much less likely to question an email from a supplier contact you regularly interact with, than one from an unknown identity. And because discussions with vendors often involve issues around invoices and payments, attacks that mimic these conversations can easily slip by unnoticed.

Many of the VEC attacks we’ve seen are highly targeted, going to great lengths to spoof and hijack a singular specific vendor in pursuit of a massive payday. But we’ve also seen attacks that repeat a certain scheme—almost identically—across multiple vendors, creating a snowball effect across a broad web of victims.

When just one vendor is compromised, the threat actor’s VEC attacks will be limited to the customers in that vendor’s supply chain. But when multiple vendors are compromised, that can increase the scope of attack almost exponentially. In this post, we’ll dive into what an attack of this nature looks like.

We recently detected a series of attacks in which a single threat actor compromised five different vendor email accounts, and through those accounts, delivered email attacks to 15 individuals across five customer organizations. Even more concerning was that all of the target customer organizations were in the critical infrastructure space—including two healthcare companies, two logistics companies, and one manufacturing company. And unfortunately, these are only the numbers across Abnormal customer organizations, meaning that dozens more accounts could’ve been compromised by this single threat actor.

Specifically, the attacker compromised vendor email accounts belonging to individuals in accounting and operations roles and sent emails attempting to redirect outstanding and future invoices to a new bank account. Each email included a PDF attachment that outlined the (fake) new payment policy and provided the updated bank account details.

Nearly all of the emails sent by the compromised accounts used the same language and formatting, and although they featured grammatical errors, they also featured a number of characteristics that made them appear legitimate—enabling the emails to bypass traditional security defenses.

The most effective disguise tactic—and a key characteristic of VEC attacks—was the attacker’s use of a known domain. Because the emails were sent from compromised vendor accounts, the sender's email address and domain would appear as normal to the recipients. The attacker also used content and language that the victims might expect from conversations with their vendors. These two factors together would make it seem like nothing was out of the ordinary, increasing the likelihood that the targets could unknowingly engage with the threat actor.

However, even though these emails look legitimate at first glance, there were a number of anomalies that might signal a potential attack.

For example, an NLP analysis highlighted multiple instances of language related to financial requests and billing account updates, and especially related to diverting payments, which is commonly associated with invoice fraud. Another indicator of anomalous user behavior was the absence of any previous correspondence between the senders and the recipients.

These signals of attack would likely circumvent a distracted human eye, and even traditional email security solutions. VEC attacks are notoriously difficult to catch precisely because of the sparsity of attack signals overall, and the signals that do exist are difficult to pinpoint at surface level. It goes to show that organizations need a better approach to detection if they want to be able to catch even the subtlest signs of a potential attack.

There were a few key indicators pointing to the fact that these email attacks originated from the same threat actor.

Most noticeably, all the emails shared the following uncommon and suspicious wording:

“Note: We received a bogus check from another vendor this morning which had our account flagged. We are currently opted out from check for now.”

Secondly, across all of the emails, in either the email signature or in the attachment, the attacker updated the sender's contact information with the exact same phone number—likely their own. This ensures that, should the recipient take the extra step to call the number, a common tactic discussed in security awareness training, the threat actor would pick up rather than the impersonated sender.

Thirdly, the attachments that were sent from all four compromised vendors were highly similar— they were formatted using the same structure and referenced the same fictitious name, “Veronica Ward.”

The multiple similarities across these email attacks—even though they were delivered through different vendor accounts—are the smoking gun that links them to a common originator.

Because modern VEC attacks leverage social engineering to create seemingly genuine messages, traditional email security tools that look for known indicators of compromise, like malicious links and attachments, are becoming less effective.

Cybersecurity leaders—and especially those at high-value targets like critical infrastructure organizations—are increasingly looking for new tools to overcome these shortcomings. Many are turning to technologies that use behavioral AI, which learn and understand what normal user behavior, patterns, and content looks like. Rather than looking for known-bad behavior, they look for deviations from the norm that may signal an attack, and block them before they ever reach employee inboxes.

Interested in learning more about how Abnormal can protect your organization from vendor fraud? Schedule a demo.