logo

A Compromised Vendor Account Sent an ACH Redirect With a Fabricated Closure Deadline and Mismatched Phone Numbers

ID: de04084f-fcb8-5876-ba5b-6aa7b422886f

STIX ID: report--de04084f-fcb8-5876-ba5b-6aa7b422886f

Feed Name: IRONSCALES

Threat Score
70/100

Date Published: 2026-06-25

Date Updated: 2026-06-25

Author: [email protected] (Audian Paxson)

...
...

An attacker leveraged a long-established vendor email account (relayed via a third-party signature service) to send a fraudulent ACH banking-change request that fabricated a same-day deadline to pressure an accounts-payable contact. The message passed SPF/DMARC and appeared legitimate, but contained two signature blocks with phone numbers differing by one digit and was relayed through CodeTwo (relay IP 91.220.146.21); these artifacts, along with the lack of invoice context, indicate a vendor ACH redirect BEC attack and support defenses like verified out-of-band callbacks and content checks for duplicate signature mismatches.

Your team is not currently subscribed to this feed. You must subscribe to it in order to see this post.