Attack Vault
The Attack Vault contains samples of email-based cyber attacks targeting enterprise users, including business email compromise (BEC) attacks, financial supply chain fraud, credential phishing, malware attacks, and other types of scams. The email subject and body content of these samples can be searched and the repository can be filtered based on specific characteristics using the options below.
This collection of attack samples is not meant to be a comprehensive repository of all email-based threats. Rather, the Attack Vault contains a cross-section of various types of cyber threats--each containing a unique combination of tactics, themes, and/or content--to provide a general overview of some of the more notable attacks observed in today's email threat landscape.
Hello,
Can you please confirm with your accounting department if there's any due/unpaid invoices owed to our company, as we are currently switching to a new accounting software and a couple of invoices are missing? We apologize for the inconvenience, kindly attach any due/unpaid invoices with this email. I'll appreciate it if all concerned people treat this as urgent. Thanks.
Regards,
[Impersonated Vendor ExecutiveName]
Chief Executive Officer
[Impersonated Vendor Company]
[Impersonated Vendor Address]
Vendor Impersonation Overdue Payment BEC Attack
This text-based BEC attack impersonates a vendor/supplier using display name spoofing a maliciously registered domain, and an overdue payment theme to request a fraudulent payment.
Dear Colleagues & AP Team,
Please be informed that we have not yet received payment with respect to these invoices.
2/2111/01-2/2203/01 for Eurocontrol Belgium(Nov. to Dec., 2021 & Jan.-Mar 2022)
HE/2111/01-2/2203/01 for Eurocontrol Belgium Egypt(Nov. to Dec., 2021 & Jan.-Mar 2022)
UM/2111/01-2/2203/01 for Eurocontrol Belgium Belarus(Nov. to Dec., 2021 & Jan.-Mar 2022)
05/2111/01-2/2203/01 for Eurocontrol Belgium Netherlands(Nov. to Dec., 2021 & Jan.-Mar 2022)
IC/2111/01-2/2203/01 for Eurocontrol Belgium Ireland(Nov. to Dec., 2021 & Jan-Mar 2022) ETC.
You are hereby advised to settle these bills as soon as possible because some of the invoices are already in arrears. Also please advise if these payments have been remitted and kindly provide to us by return email the copy of the swift confirmation and proofs of payment , to enable us reconcile our accounts and to further advise you on future transactions and payments.We regret all inconveniences and plead that you bear with us.
Thanks for your cooperation. we await your prompt response.
My best regards
[Impersonated Third Party Name]
General Manager Accounts
Head of CAT / CO2 (Collection of Air Navigation Charges)
CRCO / CAT / CO2
EUROCONTROL
96 Rue de la Fusée, 1130 Brussels, Belgium
Email: [Impersonated Email Address]
External Third Party Impersonation Payment Inquiry BEC Attack
This text-based BEC attack impersonates an external third party using display name spoofing, a look-alike domain, and a payment inquiry theme to request a fraudulent payment.
Dear Manager Accounts,
EUROCONTROL HEREBY REMINDS YOU OF THE UNPAID INVOICES WHICH HAS BEEN SENT TO YOU. WE ADVISED THAT YOU EXPEDITE ACTIONS NOW TO SETTLE THE
BILLS AS EARLY AS POSSIBLE SO THAT WE CAN CLOSE THIS FILE .THE PAYMENTS ARE OVERDUE NOW AND HENCE ,IT IS IMPORTANT THAT YOU TAKE THE NECESSARY ACTIONS AS SOON AS POSSIBLE TO MAKE PAYMENTS.
WE ALSO HEREBY,INFORM YOU OF THE CHANGE IN OUR ACCOUNT DETAILS FOR ALL EUROCONTROL PAYMENTS AS THE CASE MAY BE, FOR SPECIFIC TRANSACTIONS AND
AS DIRECTED BY THE MANAGEMENT. YOU ARE ADVISED TO INFORM US ADEQUATELY BEFORE ANY PAYMENTS ARE MADE SO THAT WE CAN PROVIDE YOU WITH THE NEW
ACCOUNTS.
PLEASE YOU ARE ADVISED TO CONFIRM THIS FROM US IMMEDIATELY.THE DETAILS WILL BE FORWARDED TO YOU IN GOOD TIME AS SOON AS WE RECEIVE YOUR
ADVISE. PLEASE TAKE NOTE,WE DO NOT WANT ANY MIX-UPS AND MISUNDERSTANDING AGAIN.
KINDLY CONFIRM RECEIPT OF THIS NOTICE BY PROMPT RESPONSE
WE APPRECIATE YOUR UNDERSTANDING AND ALWAYS COUNT ON YOUR COOPERATION.
Best Regards,
[Impersonated Third Party Name]
Assistant to the Treasurer
DR/PFO - Treasury Section
EUROCONTROL 96 Rue de la Fusee
1130 Brussels,Belgium.
External Third Party Impersonation Overdue Payment BEC Attack
This text-based BEC attack impersonates an external third party using display name spoofing, a free webmail account, overdue payment theme, and payment account update theme to request a fraudulent payment.
Message Notification
We've sent you an important message about your account. Please click below to sign into Online Banking or the Mobile App to view your message.
View Your eMessage
This email is sent by an automated system, please do not reply to this email.
Navy Federal Credit Union Account Update Credential Phishing Attack
This link-based attack impersonates Navy Federal Credit Union using an external compromised account and account update theme to steal credentials.
Hi [Target First Name],
I need you to take care of a payment to a Vendor today. Let me know if you can and what payment option you have so I can provide you with the information you need and the paperwork/invoice to process the payment.
Thanks
[Executive Name]
[Executive Title & Organization]
Executive Impersonation Payment Fraud BEC Attack
This text-based BEC attack impersonates an executive using display name spoofing and a free webmail account to request a fraudulent payment.
Hello [Recipient Name]
You have a new Fax Document for [Recipient Company Name].
April 21, 2022
Attached are the documents for your review. Please review at your earliest convenience. Thank you.
© [Recipient Company Name] Management. All rights reserved.
Fake Document HTML Attachment Credential Phishing Attack
This payload-based attack uses an HTML attachment and fake document theme to steal credentials.
Could you please confirm if a wire payment can be processed to a consultant today? Let me know when you get this so i can give details.
Kind Regards,
[Executive First Name]
Executive Impersonation Payment Fraud BEC Attack
This text-based BEC attack impersonates an executive using display name spoofing and a free webmail account to request a fraudulent payment.
Hello [Target First Name],
Kindly create a spreadsheet and run the aging report, manually including each customer's contact email
Please work on that as soon as possible and let me know when i can have it.
Thank You,
[Executive First Name].
Executive Impersonation Aging Report BEC Attack
This text-based BEC attack impersonates an executive using display name spoofing and a maliciously registered domain to request a copy of an aging report.
[Target First Name],
Please I need you to take care of a financial obligation for me in order to finalize an agreement with a partner. Let me know when you are available so i can forward you the EFT/Wire Transfer as received for processing.
Regards.
Executive Impersonation Payment Fraud BEC Attack
This text-based BEC attack impersonates an executive using display name spoofing and a maliciously registered domain to request a fraudulent payment.
Hello
As soon as possible, I want to update my paycheck account information. Will the change be effective before the next payroll is completed?
Regards
[Executive Name]
Executive Impersonation Payroll Diversion BEC Attack
This text-based BEC attack impersonates an executive using display name spoofing and a free webmail account to divert payroll deposits to a fraudulent account.
