Prevent Supply Chain Compromise

An organization’s security posture is only as strong as that of the suppliers that they do business with.

Keep your employees safe from compromised accounts belonging to suppliers, vendors and partners.

New Research on Shift to Supply Chain Compromise
Supply Chain Header


average cost of a supply chain compromise attack

Abnormal Security, 2021


chance of receiving a supply chain attack each week

Abnormal Security, 2021


highest requested amount by supply chain attack blocked by Abnormal


Understanding Supply Chain Compromise

Supply chain is unique in that attackers target trusted vendors and partners with credential phishing campaigns. Once they receive access to the account, they use that email to trick businesses into paying fake invoices or updating billing information, costing them millions each year. In these attacks, the threat actor:


Creates a credential phishing campaign targeting your vendor or partner


Receives valid credentials and infiltrates vendor accounts


Sends an email from the account with a fake invoice or updated billing details


Receives funds from the victim because they believe the threat actor to be their vendor

supply chain compromise attack sample email

Recognizing an Attack from a Compromised Vendor Account

This email passed traditional email security infrastructure because it comes from a legitimate email address. Upon closer examination, we see that:

  • While the email is from a known vendor, the sender has never before interacted with the recipient

  • The financial request is suspicious, given that a similar email was sent two days ago

  • The attached invoice has a different bank name and routing number from previous invoices

While traditional security measures would not stop this email, Abnormal can tell that the vendor is likely compromised and will block it.


Protect Your Organization from Compromised Email Accounts in Your Supply Chain

supply chain compromise detection sample

Automatically Know Your Vendors

This message from Printers and More asks Oscar to pay an invoice, but Oscar just paid an invoice last week.

Using a real account from the vendor, this message asks the accounting team at Dunder Mifflin to pay a new invoice. Because the team knows that this is a real vendor, they assume that the invoice is legitimate.

Abnormal’s VendorBase auto-identifies and scores real vendors and partners based upon past email communications, and other signals gathered across the entire enterprise ecosystem. In this case, we understand that Printers and More is a real vendor, but determine that the account is compromised because the timing of the request for payment is unusual.

abnormal vendor score profile sample

Continuously Assessing Vendor Risk and Reputation

Review of the email and the vendor database shows that this email is from a legitimate source, so Oscar may approve the payment.

Because Oscar knows that the team works with Printers and More, he would likely authorize payment, especially since the invoice is already past due.

Abnormal not only detects your vendors, we assign them a risk score based on domains spoofed, accounts compromised, and suspicious business. Because we know that Printers and More has a high likelihood of being compromised, we know that this email is malicious.

detecting suspicious account number in an invoice

Inspect Content, Tone, and Attachments

The text of the email asks Dunder Mifflin to pay their past-due invoice immediately, or suffer legal action. However, the invoice includes new banking details.

Abnormal scans all attachments for suspicious information. In this case, we understand that the banking details are different from those typically associated with this vendor.

As a result, Abnormal realizes that the account is likely compromised and an attacker is instead using it to extract money from the vendor’s customers.

blocking suspicious vendor behavior across org

Prevent Invoice and Billing Fraud

If Oscar did not pay this invoice, the attacker may try other people at Dunder Mifflin, until he finds a more amenable contact.

Because the threat actor has access to the vendor’s email account, he knows who he can contact other contacts at Dunder Mifflin. He may try this tactic on multiple people throughout various departments until he finds someone willing to pay the fake invoice.

Abnormal recognizes this behavior and blocks all suspicious emails from the sender, preventing invoice fraud across the entire Dunder Mifflin organization. This continuous monitoring of the vendor to assess risk scores through VendorBase also ensures that other Abnormal customers are safe from this compromised vendor account.


Trusted by Global Enterprises


See the Abnormal Solution to the Email Security Problem

Protect your organization from the full spectrum of email attacks with Abnormal.

Integrates Insights Reporting 09 08 22

Related Resources

B 03 25 22 CISCO Guide to VEC
Supply chain compromise attacks can cause substantial financial loss through invoice or payment fraud. Learn how and why attackers leverage compromised accounts from vendors to launch attacks that are specifically designed to bypass traditional email security.
Download Now
B Gartner Highlights 1
The Gartner Market Guide for Email Security explains what integrated cloud email security (ICES) solutions are and why they’re essential for modern enterprises. Download a copy now to learn why enterprises are moving away from the SEG.
Read More
B 10 19 22 Product Demo Inbound
With Abnormal, security teams can now eliminate redundant email gateways and enhance Microsoft's built-in security capabilities. Once integrated via one-click API, Abnormal automatically profiles your VIPs and employees, their behavior, relationships, communication patterns...
Read More
Webinar microsoft cover
The emergence and evolution of advanced socially-engineered cyber attacks, including business email compromise, supply chain fraud, and ransomware, has organizations rethinking their security strategies and tech stacks.
Watch Now
Blog yellow tunnel
Vendor email compromise, in which a compromised vendor sends invoice or payment attacks to their customers, is growing in popularity. An easier to detect method of this attack happens when a vendor is impersonated, rather than compromised. In this attack, the...
Read More
Blog rising buildings angle
The prolific attack on SolarWinds and their partner ecosystem will forever change how we view supply chain security and the role email communication plays in it. As the events and details surrounding the attack continue to unfold, we have learned from the company itself...
Read More
Webinar cover 3
While you may be confident in your own email security, the truth is that your security is only as good as the security of your partners and vendors. Discover why vendor email compromise is such an important part of your security strategy.
Watch Now