top of page

Outsmarting Shadows in the Inbox: a Cautionary Tale of Digital Deception

Author - Carlos Mejia-Hernandez | Senior Digital Forensic Analyst

In the world of cyber threats, an organisation recently encountered a compelling case that unfolded within the confines of its everyday email communications. This case study sheds light on a deceitful cyber-attack, wherein an email, posing as a trusted client, became a cybercriminal's key to infiltrate the organisation's digital infrastructure. 

The Deception: Spot the Difference 

 The deception was simple yet effective. Attackers created a counterfeit email address, mimicking the firm's official correspondence channel. The difference was just one letter off —they subtly altered to This minute alteration slipped under the radar of the recipient and into the trust zone of employees and clients. 

The Bait: A Convincing Proposition 

 The bait came in the form of a message about a new client requiring urgent attention, complete with a link to download relevant documents. An unsuspecting click led to a download page, which perfectly mimicked  a reputable document-sharing platform, where a contract download awaited. 

The Payload: A Hidden Threat 

 The downloaded .zip file, under the guise of routine documents, hid an .msi executable. Once executed, it silently installed a surveillance tool on the user's system, opening a gateway for data extraction and unauthorised control. 

The Proliferation: A Widening Web 

 With one system compromised, the attackers widened their web. They used the hijacked email account to distribute the malicious executable further, ensnaring more within the organisation and its client base. 

The Exploit: Financial Deception


Figure 1. Payload

 The attackers then played their financial hand. They sent modified invoices from the compromised account, redirecting financial flows into their coffers. Significant financial transactions were erroneously completed before the act was discovered. 

The Discovery and Response: A DFIR Operation 

 When the breach came to light, the DFIR team at Forensic IT took swift and methodical action. Harnessing the comprehensive logging features of Google Workspace, the team meticulously charted the attack's anatomy and secured the breach. 

Lessons to be learned: Empowerment Through Vigilance 

  • Inspect with Precision: Encourage your team to scrutinize every email for irregularities in addresses and unexpected requests. 

  • Implement Strong Safeguards: Deploy sophisticated email security solutions that can detect and neutralize the most convincing forgeries. 

  • Cultivate a Security-First Mindset: Build a culture that promotes curiosity and critical thinking, where anomalies are seen as opportunities to strengthen security. 

This case study emphasises the vital importance of strengthening digital defences against evolving threats. It's a reminder that no organisation is immune to dangers hidden within everyday email exchanges. By fostering a culture of vigilance and equipping our teams with the tools and knowledge to identify and mitigate risks, we empower ourselves to navigate the digital landscape confidently.

If you seek guidance in fortifying your organisation's defences, please don't hesitate to contact us. We're here to support you every step of the way.   


bottom of page