Past Due Invoice, Future Wire Fraud: How a BEC Campaign Passed Every Authentication Check

A mid-size technology services firm was targeted by a Business Email Compromise (BEC) invoice diversion campaign that used display-name spoofing and SendGrid's authenticated infrastructure to deliver seemingly legitimate “Past due invoice.” messages. The attacker used a recently registered Reply-To domain and an attacker-controlled payment address to capture replies and redirect payments; VERP bounce tracking was used for recipient reconnaissance. Three mailboxes received the message, which IRONSCALES' behavioral detection quarantined before any payment occurred. The report includes IOCs (sender, reply-to, payment address, sending IP), MITRE mappings, and recommendations emphasizing behavioral detection beyond SPF/DKIM/DMARC.