Threat Actor Attempt At Auditing: New Business Email Compromise Tactic

By Noah Mizell and Ashley Tran, Cofense Phishing Defense Center

The tactics used for conversations in business email compromises (BEC) can vary based on topics that often appear specific to a fellow coworker or to a collaboration on a private task for the CEO or other high–ranking executive. The members of the Cofense PDC are all too familiar with, for example, the line, “I want to surprise the staff with gifts.” However, threat actors have caught on to the fact that their tactics are not so secret anymore, and are well documented. With this newfound awareness comes the need to evolve methods. As noted in previous Cofense blogs, this can involve soliciting end users for sensitive revenue and customs details or, in the case  shown in Figure 1, posing as an audit for open invoices between two companies.details or in this case posing as an audit for open invoices between two companies.

Figure 1: Email Body 

In Figure 1, it can be noted that an email has been forwarded by an external user who had suspicions regarding the email seen under “Begin forwarded message.” The initial email is a request detailing the need to update the impersonated company’s “account record” for the forwarding user’s company, and asks for details on “any unpaid payments or an invoice due till date.” Following this request is the forged – yet convincing – email signature for that impersonated company’s chief financial officer, complete with logo.

Because this email was forwarded, the sender details can be seen in the body of the email. The threat actor has spoofed the sender email to appear as though it really did originate from the impersonated company: [email protected]. However, the actual email behind this attack is in the reply-to section of this email: [email protected].

The goal of this scam is simple – to obtain the invoice information and utilize it in a follow-up attack. This attack would reference the specific confidential information that was attained to get payment in the name of the impersonated company. Although the subject and wording of this BEC is different from the typical gift card request, or favor for the CEO, the impact most likely to result remains the same: financial crime.

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.  

The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.