Sextortion scams using invoicing and accounting services for distribution : 14 July 2025

Dimakatso Makinta - Moderator · 2025-07-15T12:11:31+00:00

Key Points * Sextortion scams distributed through online invoicing and accounting services * There similar campaigns identified using same Bitcoin address for payment * Evasion techniques used to bypass security solutions * Predominately targeting US and Australian businesses The Mimecast Threat Research team has…

Dimakatso Makinta - Moderator

Key Points

Sextortion scams distributed through online invoicing and accounting services
There similar campaigns identified using same Bitcoin address for payment
Evasion techniques used to bypass security solutions
Predominately targeting US and Australian businesses

The Mimecast Threat Research team has identified a new sextortion scam campaign leveraging legitimate invoicing services to distribute malicious emails. These campaigns, which began in June 2025, utilise evasion techniques to bypass security solutions and target unsuspecting recipients. The campaigns are notable for their use of legitimate services to lend credibility to their malicious intent.

Campaign Details

Recent phishing campaigns have been identified utilising Eslip, Snap Invoicing, and Loyverse for distribution. These platforms, which provide invoicing and payment processing services, are being exploited to facilitate automated scams. The campaigns exploit the functionality of established invoicing services, allowing attackers to send fraudulent email notifications that appear legitimate. This tactic not only enhances the credibility of the scams but also increases the likelihood of user engagement.

Three similar campaigns have been identified, both using the same Bitcoin wallet address for payment and email reply-to address, indicating a coordinated effort. The emails claim to have compromising material on the recipient and demand payment in Bitcoin to prevent the release of this material. Other personal information is used such as date of birth or password of recipient to give further legitimacy and cause panic. This points to the recipient’s information being in a data breach, and how this type of data can be leveraged for onwards attacks.

Evasion Techniques

To bypass security solutions, the attackers employ the following methods:

- Splitting the Bitcoin address into two parts within the email to avoid detection by automated scanners.

- Hosting additional extortion details, including the Bitcoin address, on an external hosting site (catbox.moe). This ensures that sensitive details are not directly included in the email body, further evading detection.

Please click here to read the entire article.
We welcome your questions; please ask them by posting a comment below.

Dimakatso Makinta

Find more posts tagged with

Threat Intelligence

Threat Intelligence Notifications

Email Threat

Email & Collaboration Threat Protection

Mimecast Threat Insights

Comments

There are no comments yet