Threat Research | 9 min read

Fake Invoice Attack with Malware Bypasses Office 365


Lauryn Cash
Lauryn Cash

This blog examines a Vendor Invoice Fraud attack that included Malware within an attachment, and impersonated a trusted vendor. The email attack bypassed Microsoft Office 365 email security with the potential to compromise more than 100,000 users if not for Armorblox stopping the attack.

Fake Invoice Attack with Malware Bypasses Office 365

Interacting with vendors has become an everyday part of doing business. And through these frequent interactions, many of us build a certain level of trust with our vendors over time. Sadly, bad actors are counting on this trust, eager to exploit it. In today’s Blox Tale, we will dive into the details of a malware attack disguised as a vendor invoice awaiting payment.

Attackers targeted end users across the organization with an email attack that looked like a legitimate invoice reminder notification from a trusted vendor. The email attack had a socially engineered payload, bypassed Microsoft Office 365 email security, with the potential to compromise more than 100,000 users if it weren’t for Armorblox successfully identifying and stopping this vendor invoice fraud email attack.


Mailboxes: More than 100,000 mailboxes

Target: A large, national institution within the Education Industry

Email security bypassed: Microsoft Office 365 Email Security

Techniques used: Social engineering, trusted vendor impersonation, replicating existing business workflows, malicious attachment that contains malware

The Email

The subject of this email encouraged victims to open the message and read: “Re: Please find invoice attached!”. The goal of this subject was to instill a sense of urgency in the victims, making it seem like an action needed to be taken as soon as possible. The attacker aimed to pass the eye test of unsuspecting victims by manipulating the sender name, Invoice-587011, to look like it corresponded with the number of the invoice needing review by the recipient.


Fig 1: Snapshot of email attack impersonating trusted vendor with malicious attachment

Bad actors can easily become privy to the relationships of the target business(es), trusted vendors and third-party contacts, and common business email workflows. Attackers gain knowledge about each organizations’ vendor relationships through utilizing publicly available information as well as compromising trusted vendor or supply chain partner accounts.

In targeted attacks like these, it's quite easy with some quick internet sleuthing to uncover details around the vendors and third-party contacts organizations are frequently in contact with. The body of this malicious email includes the logo of the trusted vendor being impersonated, Hetzner - an IT service management company based in Germany. Unfortunately, the attacker could have uncovered that Hetzner is a trusted vendor contact, or known that this vendor is a common IT management company across the Education Industry, further adding legitimacy to this vendor invoice fraud attack.

The body of the email contains nothing more than a legitimate logo and a short message, allegedly from the Hetzner Online Team. But the main goal of the attacker is to get the recipients to open the attached file, which contains malware.


Fig 2: Snapshot of attachment that installed malware onto machine once opened

Upon opening the attachment, unsuspecting victims were met with a message that seemed to be from Microsoft informing the recipient that he or she was being taken to the organization’s sign-in page. No matter if the end user immediately closed the attachment or waited to be navigated through, just opening the attachment initiated the installation of malware onto the user’s machine.

Attack Flow

This email attack impersonated a trusted vendor contact, with the intention to create a sense of trust in unsuspecting victims. Attackers included legitimate logos and language across the email to portray that the communication and the associated attachments were coming from a trusted contact, with the goal to install malware onto the users’ machine.


Fig 3: Vendor Invoice Fraud email attack flow

The Power of Armorblox

The email attack used language as the main attack vector and bypassed native Microsoft email security controls. It passed both SPF and DKIM email authentication checks.

Attackers created a new domain in order to send this malicious email that contained malware. This email still bypassed native email security controls even though this email failed DMARC because the attackers failed to set this up prior to launching this attack. Microsoft marked this email as safe (and assigned an SCL score of 1) which would have delivered it to more than 100,000 user inboxes. Fortunately, these end users are protected by Armorblox, who accurately detected this email attack that contained a malicious attachment with malware. Armorblox uses Natural Language Understanding (NLU) to understand the content and context of email communications to provide organizations and end users better protection from these types of targeted, socially engineered email attacks


Fig 4: Snapshot of Armorblox Malware Analysis results and details

Armorblox automatically detected and identified this targeted attack as a vendor impersonation, which is outside the breadth of security layers Microsoft native email security can provide. Armorblox identifies vendor and supply chain relationships in real-time based on contextual information and language and behavior signals indicative of a vendor relationship. These vendor relationship behavior baselines are created and monitored through various signals including, business email workflows involving invoices, wire transfers, or bank account information, new product or service confirmation emails, and communications around contract negotiations.

Recap of Techniques Used

This email attack employed a gamut of techniques to get past traditional email security filters and pass the eye tests of unsuspecting victims.

Social engineering: The email title, design, and content aimed to induce a sense of trust and urgency in the victims. Trust was induced by impersonating a trusted vendor and a sense of urgency through the language used within the subject and body of the email. The context of this attack also leverages the curiosity effect, which is a cognitive bias that refers to our innate desire to resolve uncertainty and know more about something.

Trusted Vendor Impersonation: Companies usually have varying levels of security hygiene and compromising one weak link in a supply chain can result in compromising the entire chain. Attackers lean into this when looking to compromise trusted vendors, suppliers, or third-party contacts in communication with the target organization. After successfully compromising trusted accounts, bad actors have full access to the nature of the business relationship; including gaining access to invoices, confidential business data and information, and bank accounts and routing numbers, of which they can leverage to craft targeted and financially damaging attacks.

Spoofing known workflows: The email was engineered to target a common business workflow of paying an invoice of a vendor doing business with an organization. It is not uncommon for vendors to send reminder emails about upcoming or missed payments, and with the increased number of vendors in contact with organizations it is hard for both security teams and end users to keep track of all communications and invoice due dates. When common workflows are spoofed, end users have a higher chance of taking action versus exercising caution.

Guidance and Recommendations

1. Augment native email security with additional controls

The email highlighted in this blog got past native email security. For better protection and coverage against email attacks (whether they’re spear phishing, business email compromise, or malware attacks like this one), organizations should augment built-in email security with layers that take a materially different approach to threat detection. Gartner’s Market Guide for Email Security covers new approaches that vendors brought to market in 2021, as well as Armorblox highlights this in the 2022 Email Security Threat Report, and should be a good starting point for your evaluation.

2. Watch out for social engineering cues

Since we get so many emails from service providers, our brains have been trained to quickly execute on requested actions. It’s much easier said than done but engage with these emails in a rational and methodical manner whenever possible. Subject the email to an eye test that includes inspecting the sender name, sender email address, the language within the email, and any logical inconsistencies within the email.

3. Follow multi-factor authentication and password management best practices

If you haven’t already, implement these hygiene best practices to minimize the impact of credentials being exfiltrated:

  • Deploy multi-factor authentication (MFA) on all possible business and personal accounts.
  • Don’t use the same password on multiple sites/accounts.
  • Use password management software like LastPass or 1password to store your account passwords.

Learn how Armorblox protects your end users from targeted attacks.

Take BEC Tour

Experience the Armorblox Difference

Get a Demo