Attack Vault
The Attack Vault contains samples of email-based cyber attacks targeting enterprise users, including business email compromise (BEC) attacks, financial supply chain fraud, credential phishing, malware attacks, and other types of scams. The email subject and body content of these samples can be searched and the repository can be filtered based on specific characteristics using the options below.
This collection of attack samples is not meant to be a comprehensive repository of all email-based threats. Rather, the Attack Vault contains a cross-section of various types of cyber threats--each containing a unique combination of tactics, themes, and/or content--to provide a general overview of some of the more notable attacks observed in today's email threat landscape.
[Recipient Company Name Header]
[Recipient Email Address]
[Recipient Name] has shared a secured document with you using
Adobe Creative Cloud Service.
Open PO-22993.pdf
Respectfully,
[Signature)
Adobe Fake Document Credential Phishing Attack
This link-based attack impersonates Adobe using email spoofing and a fake document theme to steal credentials.
[Target First Name],
I need you to email me the aging report from A/R (Due within the next 30 days and a month overdue), and also include the customer payable contact email on this report.
Regards,
[Executive Name].
Executive Impersonation Aging Report BEC Attack
This text-based BEC attack impersonates an executive using display name spoofing and a maliciously registered domain to request a copy of an aging report.
Hello [Recipient Name]
Kindly re-confirm your cell #, I need to know if you are available at the moment, I have an assignment to complete in a presentation.
Thanks.
Executive Impersonation Gift Card BEC Attack
This text-based BEC attack impersonates an executive using a cell phone request, display name spoofing, and a free webmail account to request the purchase of gift cards.
Dear [Recipient Username]
York University has issued payment of $1348.71 in settlement of the item(s) listed in the attached remittance advice. The amount will be deposited into your bank account within two business days.
Disclaimer Notice:
This email and any attachments may contain confidential and privileged information. If you are not the intended recipient, please notify the sender immediately by return email, delete this email, and destroy any
copies. Any dissemination or use of this information by a person other than the intended recipient is unauthorized and may be illegal.
*************************************************************************
Avertissement:
Ce courriel, ainsi que toutes les pièces jointes, peuvent contenir des informations confidentielles et privilégiées. Si vous n'êtes pas le destinataire voulu, veuillez en informer l'expéditeur immédiatement en
lui retournant le courriel, et détruisez le ainsi que toutes les copies. La diffusion ou l'utilisation de cette information par une personne autre que le destinataire voulu est non autorisée et peut être illégale.
Fake Invoice HTML Attachment Credential Phishing Attack
This payload-based attack impersonates an external third party using an HTML attachment and fake invoice theme to steal credentials.
We have issues with your shipment address
Reason: Your shipping address has an error.
It may be caused by different formats that are used in e-shops.
Shipment Details
Email : [email address]
Status: Needs customer's verification
Tracking Number: 1Z0905238580532086
Number of Packages: 1
Scheduled Delivery Date: March, 31 2022
Weight: 2.5 LBS
Please check the document, fill in the form and send it back.
DOCUMENT DOWNLOAD LINK
Fake Shipping Notification Link-based Malware Attack
This link-based attack impersonates a brand using an external compromised account and a fake shipping notification theme to deliver malware.
Greetings!
Have you seen lately my e-mail to you from an account of yours?
Yeah, that merely confirms that I have gained a complete access to device of yours.
Within the past several months, I was observing you.
Are you still surprised how could that happen? Frankly speaking, malware has infected your devices and it's coming from an adult website, which you used to visit.
Although all this stuff may seem unfamiliar to you, but let me try to explain that to you.
With aid of Trojan Viruses, I managed to gain full access to any PC or other types of devices.
That merely means that I can watch you whenever I want via your screen just by activating your camera as well as microphone, while you don't even know about that.
Moreover, I have also received access to entire contacts list as well as full correspondence of yours.
You may be wondering, "However, my PC is protected by a legitimate antivirus, so how could that happen? Why couldn't I get any alerts?"
To be honest, the reply is quite straightforward: malware of mine utilizes drivers, which update the signatures on 4-hourly basis,
which turns them to become untraceable, and hereby making your antivirus remain idle.
I have collected a video on the left screen where you enjoy wanking, while the video on the right screen shows the video you were watching at that point of time.
Still puzzled how much damage could that cause? One mouse click is enough for me to share this video to your social networks, as well as e-mail contacts of yours.
In addition, I am also able to gain access to all e-mail correspondence as well as messengers used by you.
Below are simple steps required for you to undertake in order to avoid that from occurring - transfer $1450 in Bitcoin equivalent to my wallet
(if you don't know how to complete that, just open your browser and make a google search: "Buy Bitcoin").
My bitcoin wallet address (BTC Wallet) is: 1Chh8EcWosTHo7LyVhkoDsyhVBmGDPnqNo
Once the payment has been confirmed, I shall remove the video without delay, and that is end of story - afterwards you won't hear about me again for sure.
The time for you to perform the transaction is 2 days (48 hours).
After this e-mail is opened by you, I will get an automatic notice, which will start my timer.
Any effort to complain will not change anything at all, because this e-mail is simply untraceable, just like my bitcoin address.
I have been developing these plans for quite an extended period of time; so, don't expect any mistake from my side.
If, get to know that you tried to send this message to anyone else, I will distribute your video as described earlier.
Fake Malware Infection Extortion Attack
This text-based extortion attack uses a fake malware infection theme to demand a payment.
DEAR CUST0MER,
Y0UR SUBSCRIPTI0N WITH MCAFEE HAS BEEN RENEWED T0DAY. AM0UNT HAS BEEN DIRECTLY DEBITED
FR0M Y0UR BANK ACC0UNT AND IT WILL REFLECT IN Y0UR ACC0UNT STATEMENT WITHIN 24-48 H0URS.
IF Y0U ARE HAPPY WITH MCAFEE SERVICES. D0N'T F0RGET T0 GIVE A FEEDBACK.
PR0DUCT DESCRIPTI0N:
MCAFEE® T0TAL PR0TECTI0N
QUANTITY: 1
TENURE: 1 YEAR
INV0ICE ID: LP0/452136985
PAYMENT METH0D: DIRECT DEBIT
RENEWAL AM0UNT: $299.99
IF Y0U D0 N0T WISH T0 RENEW THE SUBSCRIPTI0N PLEASE C0NTACT 0UR CANCELLATION DEPARTMENT
IMMEDIATELY AND GET BACK Y0UR REFUND @ +1-806-531-6922
TERMS AND CONDITIONS:
THE PAYMENT HAS BEEN CLEARED AND WILL APPEAR IN THE ACC0UNTS STATEMENT WITHIN 24-48 H0URS.
Y0U ARE RECEIVING THIS N0TICE BECAUSE Y0U ARE ENR0LLED WITH MCAFEE® T0TAL PR0TECTION & Y0UR
SUBSCRIPTI0N HAS BEEN AUT0-RENEWED. H0WEVER, IF Y0U D0 N0T WISH T0 C0NTINUE WITH THE SERVICE
0R WANT A REFUND 0F THIS AM0UNT. KINDLY C0NTACT 0UR HELPLINE NUMBER +1-806-531-6922
IF Y0U PURCHASED 0R RENEWED Y0UR PR0TECTI0N DIRECTLY FR0M A MCAFEE PARTNER, Y0UR CHANGE WILL
N0T BE F0RWARDED T0 THAT PARTNER. C0NTACT THEM DIRECTLY T0 UPDATE THEIR REC0RDS.
© 2022 MCAFEE INC. ALL RIGHTS RESERVED. MCAFEE, THE MCAFEE L0G0, THE CHECKMARK L0G0, MCAFEEN,
AND THE L0CKMAN L0G0 ARE TRADEMARKS 0R REGISTERED TRADEMARKS 0F MCAFEE INC. 0R ITS AFFILIATES
IN THE UNITED STATES AND 0THER C0UNTRIES. MCAFEE INC., 60 E RI0 SALAD0 PKWY STE 1000, TEMPE,
AZ 85281 ASIA PACIFIC PTE LTD, 6, TEMASEK BLVD, #12-01, SINGAP0RE 038986, SINGAP0RE. MCAFEE LIMITED,
BALLYC00LIN BUSINESS PARK, BLANCHARDST0WN, DUBLIN 15 IRELAND EMAIL IDENTIFIER: C0LP_CHANGE_ACC_MKT_0PT_IN
McAfee Subscription Renewal Fake Billing Scam
This text-based fake billing scam impersonates McAfee using a subscription renewal theme.
I need you to send me list of all unpaid vendor invoices or Aged Creditors Summary.
Thank you
[Impersonated Employee Name]
[Impersonated Employee Title]
[Impersonated Employee Company]
Employee Impersonation Aging Report BEC Attack
This text-based BEC attack impersonates an employee using display name spoofing and a maliciously registered domain to request a copy of an aging report.
The details of the payment are attached.
In case the zip file attachment is encrypted, the password is: "ZXCVGYUJMKIUJMN"
2243848480174307456285844102454191036249820820043050821407628038228248024090549941101163607899475155
jobId: sb_120923_bs
Fake Payment Receipt ZIP Attachment Malware Attack
This payload-based attack uses a ZIP archive attachment and a fake payment receipt theme to deliver malware.
IMPORTANT NOTICE:
We are required to send you this notice to inform you that you have unpaid taxes.
Please reply back so we can send you a statement and to resolve your tax account.
This email was sent by: Internal Revenue Service (IRS) · Internal Revenue Service · 1111 Constitution Ave. N.W. · Washington DC 20535
IRS Overdue Payment BEC Attack
This text-based BEC attack impersonates the IRS using a look-alike domain and an overdue payment theme to request a fraudulent payment.