Attack Vault
The Attack Vault contains samples of email-based cyber attacks targeting enterprise users, including business email compromise (BEC) attacks, financial supply chain fraud, credential phishing, malware attacks, and other types of scams. The email subject and body content of these samples can be searched and the repository can be filtered based on specific characteristics using the options below.
This collection of attack samples is not meant to be a comprehensive repository of all email-based threats. Rather, the Attack Vault contains a cross-section of various types of cyber threats--each containing a unique combination of tactics, themes, and/or content--to provide a general overview of some of the more notable attacks observed in today's email threat landscape.
Hallo [Recipient First Name],
Ich brauche schnell Ihre Hilfe bei einer Aufgabe für einen Kunden,
lass mich wissen, ob du jetzt frei hast.
Vielen Dank.
von meinem Iphone gesendet
German Executive Impersonation Gift Card Request BEC Attack
This text-based German-language BEC attack impersonates an executive using an external compromised account and a spoofed display name to request the purchase of gift cards.
Thanks For Your Order,
We notice unauthorized transactions from your PayPal account [Recipient Email Address]
If this transaction has not been done by you, please call us to cancel this order,
Otherwise, your $579.99 will be charged today,
Items Ordered: 1 you’re Billing Information.
Description. Quantity Unit Price Total Price
Google Pixel 01 $579.99 $579.99
Your Order Number: ABG23-47FG4-47FG7-47FH9
Purchase Date: Tuesday, June 14
Transaction id: PAY78650011254MCN
Whether this purchase has been made by you or not and if you wish to cancel this payment or approve this payment,
Please call us +1 445-666-3544
Sincerely,
PayPal
Billing Department
+1 445-666-3544
PayPal Suspicious Account Activity Fake Billing Scam
This text-based fake billing scam impersonates PayPal using a suspicious account activity theme.
Good Morning [Recipient First Name]
Please kindly re-update my direct deposit account for upcoming payroll
I have an issue with my bank account, I will try and have it sorted
out later. Please have it updated ASAP.
Please make sure the payroll system process my direct deposit into my
new account be added today.
Can I email the new routing and account number details for the update
to be made today ?
Thank you.
[Impersonated Employee Name]
[Impersonated Employee Title] at [Target Company Name]
Employee Impersonation Payroll Diversion BEC Attack
This text-based BEC attack impersonates an employee using a spoofed display name and a free webmail account to divert payroll deposits to a fraudulent account.
Ciao libro paga,
Vorrei cambiare l'account sul mio libro paga con un nuovo account e
vorrei sapere se sarà efficace per il prossimo pagamento?
Grazie
[Impersonated Employee Name]
[Impersonated Employee Title]
Italian Employee Impersonation Payroll Diversion BEC Attack
This text-based Italian-language BEC attack impersonates an employee using a spoofed display name and a free webmail account to divert payroll deposits to a fraudulent account.
Hello [Recipient First Name],
How are you?
Have you recently received a phone call or email from one of our attorneys regarding an ongoing transaction for the company?
Regards,
[Executive Name]
Sent from my iPhone
Executive Impersonation Legal Matter Payment Fraud BEC Attack
This text-based BEC attack impersonates an executive using an extended spoofed display name, a maliciously registered domain, and a legal matter theme to request a fraudulent payment.
Good morning,
Take a look at this document and let me know your opinion.
Thank you
[Hijacked thread contents]
> From: [Internal Employee Name] <[External Third Party Email]>
> Sent: Thursday, April 1, 2021 3:45 PM
> To: [Recipient Name] <[Recipient Email Address] >
> Subject: Fwd: [Hijacked Thread Subject]
>
>
[Hijacked thread contents]
>
> From: [External Third Party Name] <[External Third Party Email]>
> Sent: Thursday, April 1, 2021 11:00:59 AM
> To: [Internal Employee Name] <[Internal Employee Email]>
> Subject: [Hijacked Thread Subject]
>
[Hijacked thread contents]
HTML Attachment Malware Attack
This payload-based attack impersonates an external third party using a hijacked email thread and an external compromised account to deliver malware.
Good Morning,
This is Ok to pay. See below and attached. Please set up ACH for the attached invoice today.
---------- Forwarded message ---------
From: LinkedIn Receivables Team <cindy.deguzman@receivable-linkedin.com>
Date: Friday, May 27, 2022 12:27 PM
Subject: Reference Number(s):CS4815555-18 LinkedIn Invoice(s)
To: [Executive Name]
Dear Customer,
Invoices on your LinkedIn account are past due.
This is a friendly reminder that you currently owe: $4,967.50
Please send payment via ACH only using the bank details provided on the invoice.
Please note: You may notice some improvements to your invoice. As part of our ongoing commitment to deliver a better billing experience, we have introduced several changes. To learn more about your new invoice, check on our website.
For payment related questions please reply to this email without changing the subject line.
Sincerely,
Cindy De Guzman
LinkedIn Collections
Executive Impersonation Overdue Payment Payment Fraud BEC Attack
This text-based BEC attack impersonates an executive using a fake email chain, a maliciously registered domain, a spoofed display name, and an overdue payment theme to request a fraudulent payment.
Witaj [Recipient First Name],
Właśnie otrzymałem wiadomość od Krystiana Czernieckiego o niezapłaconej fakturze od Sullivan & Cromwell LLP za oferowane nam usługi. Czy możemy dziś zapłacić fakturę?
Więcej informacji na temat tego incydentu podam później po przeglądzie forum
Rozumiem, że wcześniej wysłana faktura trafiła do naszego spamu. Czy możemy dziś zapłacić rachunek?
Pozdrawiam
[Executive Name],
-------------------------------------------------------------------------------------załaskane wiadomości-----------------------------------------------------------------------------
Od:Krystian Czerniecki<krystian.czerniecki@sullivcrom.com>
Do:[Executive Name]<[Executive Email Address]>
Opublikowano:Maj 10,2022 12:55
Temat:Sullivan & Cromwell LLP
Witaj [Executive First Name],
Ponownie wysyłam fakturę jako przypomnienie. Chciałbym poinformować, że ta faktura jest już wymagalna dzisiaj. Czy wkrótce powinniśmy spodziewać się tej płatności?
Pozdrawiam
Krystian Czerniecki
Sullivan & Cromwell LLP
Adres:1 New Fetter Lane,
Londyn EC4A 1AN
Wielka Brytania
Polish Executive Impersonation Overdue Payment Payment Fraud BEC Attack
This text-based Polish-language BEC attack impersonates an executive using a fake email chain, a spoofed display name, a maliciously registered domain, and an overdue payment theme to request a fraudulent payment.
I am attaching Past Due invoices for [Recipient Company Domain]. If you have any questions, please let me know. Thanks!
INVOICE. PO# AMOUNT SO#
039 B2005 $2,355.00 03049
040 B2006 $10,098.00 03033
041 B2007 $2,246.00 03066
042 B2008 $1,049.50 03040
043 B2009 $49.50 03003
044 B2010 $147.00 03031
045 B2011 $2,160.00 03063
046 B2011 $12,160.00 03063
TOTAL: $30,265.00
Best Regards,
[Third Party Employee Name]
[Third Party Employee Title]
Overdue Payment HTML Attachment Credential Phishing Attack
This payload-based attack impersonates a vendor/supplier using an external compromised account, a personalized email subject, and an overdue payment theme to steal credentials.
Dear [Recipient User Name]
We recently received a report of a photo posted on your Instagram. An image of your album is reported to contain copyright content.
If no objection is made about the copyrighted work, we will need remove your account. Please fill in the appeal form.
Appeal Form
Instagram Suspicious Account Activity Credential Phishing Attack
This link-based attack impersonates Instagram using a look-alike domain and a suspicious account activity theme to steal credentials.
