GF 08 720x478 2x

Prevent Supply Chain Compromise

An organization’s security posture is only as strong as that of the suppliers that they do business with.

Keep your employees safe from compromised accounts belonging to suppliers, vendors and partners.

$183,000

average cost of a supply chain compromise attack

Abnormal Security, 2021

82%

chance of receiving a supply chain attack each week

Abnormal Security, 2021

$1.6m

highest requested amount by supply chain attack blocked by Abnormal

Understanding Supply Chain Compromise

Supply chain is unique in that attackers target trusted vendors and partners with credential phishing campaigns. Once they receive access to the account, they use that email to trick businesses into paying fake invoices or updating billing information, costing them millions each year. In these attacks, the threat actor:

1.

Creates a credential phishing campaign targeting your vendor or partner

2.

Receives valid credentials and infiltrates vendor accounts

3.

Sends an email from the account with a fake invoice or updated billing details

4.

Receives funds from the victim because they believe the threat actor to be their vendor

supply chain compromise attack sample email

Recognizing an Attack from a Compromised Vendor Account

This email passed traditional email security infrastructure because it comes from a legitimate email address. Upon closer examination, we see that:

  • While the email is from a known vendor, the sender has never before interacted with the recipient

  • The financial request is suspicious, given that a similar email was sent two days ago

  • The attached invoice has a different bank name and routing number from previous invoices

While traditional security measures would not stop this email, Abnormal can tell that the vendor is likely compromised and will block it.

Protect Your Organization from Compromised Email Accounts in Your Supply Chain

supply chain compromise detection sample

Automatically Know Your Vendors

This message from Printers and More asks Oscar to pay an invoice, but Oscar just paid an invoice last week.

Using a real account from the vendor, this message asks the accounting team at Dunder Mifflin to pay a new invoice. Because the team knows that this is a real vendor, they assume that the invoice is legitimate.

Abnormal’s VendorBase auto-identifies and scores real vendors and partners based upon past email communications, and other signals gathered across the entire enterprise ecosystem. In this case, we understand that Printers and More is a real vendor, but determine that the account is compromised because the timing of the request for payment is unusual.

abnormal vendor score profile sample

Continuously Assessing Vendor Risk and Reputation

Review of the email and the vendor database shows that this email is from a legitimate source, so Oscar may approve the payment.

Because Oscar knows that the team works with Printers and More, he would likely authorize payment, especially since the invoice is already past due.

Abnormal not only detects your vendors, we assign them a risk score based on domains spoofed, accounts compromised, and suspicious business. Because we know that Printers and More has a high likelihood of being compromised, we know that this email is malicious.

detecting suspicious account number in an invoice

Inspect Content, Tone, and Attachments

The text of the email asks Dunder Mifflin to pay their past-due invoice immediately, or suffer legal action. However, the invoice includes new banking details.

Abnormal scans all attachments for suspicious information. In this case, we understand that the banking details are different from those typically associated with this vendor.


As a result, Abnormal realizes that the account is likely compromised and an attacker is instead using it to extract money from the vendor’s customers.

blocking suspicious vendor behavior across org

Prevent Invoice and Billing Fraud

If Oscar did not pay this invoice, the attacker may try other people at Dunder Mifflin, until he finds a more amenable contact.

Because the threat actor has access to the vendor’s email account, he knows who he can contact other contacts at Dunder Mifflin. He may try this tactic on multiple people throughout various departments until he finds someone willing to pay the fake invoice.

Abnormal recognizes this behavior and blocks all suspicious emails from the sender, preventing invoice fraud across the entire Dunder Mifflin organization. This continuous monitoring of the vendor to assess risk scores through VendorBase also ensures that other Abnormal customers are safe from this compromised vendor account.

Trusted by Global Enterprises

HOMEPAGE DEMO 630 X480

Prevent the Attacks That Matter Most

Related Resources