Key Points
- Large-scale BEC invoice fraud campaign targets global organizations across multiple industries using urgent payment requests to exploit time-sensitive business processes.
- Attackers deploy sophisticated automation including AI-generated email content, programmatic file creation, and headless browser technology generating PDF invoices before distribution.
- Campaign employs advanced deception techniques combining fake email threads with fabricated CEO confirmations and automated HTML construction establishing false legitimacy.
Campaign Overview
The Mimecast Threat Research team has identified a Business Email Compromise (BEC) campaign that leverages automated fake email threads to execute invoice fraud at scale. This campaign represents a significant evolution in BEC tactics, combining traditional social engineering with advanced automation using Artificial Intelligence to create convincing fabricated conversations between executives and external service providers. The threat actors construct fake email chains that appear to show legitimate business correspondence, with each thread carefully crafted to include CEO or senior executive approval for urgent invoice payments. The campaigns demonstrate clear signs of automation, from AI-generated email content to programmatically created PDF attachments that are generated using headless browser technology immediately before email transmission
Technical Analysis of the campaign reveals several indicators of automated deployment.
Linguistic and structural analysis of the email body revealed characteristics—such as highly fluent language, coherent context, and lack of typical grammatical errors—that are strongly indicative of content generated by a Large Language Model (LLM), rather than crafted manually.
The email HTML contains several embedded comments which illustrates what should go in each section of the email.
Please click here to read the entire article.
We welcome your questions; please ask them by posting a comment below.
Dimakatso Makinta
