In this attack, the targeted company’s CFO was impersonated to request a spreadsheet containing all current and pending payments from customers, as well as the contact details for each customer. The rationale provided in the email for needing this information is to update records and estimate the level of outstanding debt. The attack spoofed the CFO’s name and email address to make it look like the message came directly from the executive. The reply-to address, which would have been used by the attacker to communicate with the target, was set to an account hosted on Mail.com, a free webmail provider.
Why It Bypassed Traditional Security
Because the attack is text-based, without any other indicators of compromise, there is little for a secure email gateway to use to determine malicious intent. The spoofed domain does not have an effective DMARC policy in place to reject any unauthorized senders that attempt to send emails from an address on the domain. This email is sent from a Mail.com account, a free webmail service available to anyone. As a result, there is no bad domain reputation for traditional security providers to discover, and the email passes all authentication checks for SPF, DKIM, and DMARC.
Detecting the Attack
Natural language processing enables cloud email security solutions to detect the presence of an aging report request. Integration with the Microsoft API allows an email security solution to use Active Directory to process the organizational chart and understand VIP emails to know when an executive is being impersonated via display name deception, and that the email is not associated with the executive being spoofed.
Risk to Organization
Due to the spoofed display name, employees receiving the email may instinctively follow the instructions since it comes from a person of authority. This attack is unlikely to have a direct financial impact on the organization receiving it, but it could negatively impact customer trust and brand perception. Once the attacker has access to outstanding payments, he can use that (accurate) information to email customers and request that payment be made immediately. And once those customers make the payment, their money is gone—not to the vendor they thought they were paying but to a bank account owned by the attacker.
