A Compromised Vendor Account Sent an ACH Redirect With a Fabricated Closure Deadline and Mismatched Phone Numbers
ID: de04084f-fcb8-5876-ba5b-6aa7b422886f
STIX ID: report--de04084f-fcb8-5876-ba5b-6aa7b422886f
Feed Name: IRONSCALES
An attacker leveraged a long-established vendor email account (relayed via a third-party signature service) to send a fraudulent ACH banking-change request that fabricated a same-day deadline to pressure an accounts-payable contact. The message passed SPF/DMARC and appeared legitimate, but contained two signature blocks with phone numbers differing by one digit and was relayed through CodeTwo (relay IP 91.220.146.21); these artifacts, along with the lack of invoice context, indicate a vendor ACH redirect BEC attack and support defenses like verified out-of-band callbacks and content checks for duplicate signature mismatches.
Your team is not currently subscribed to this feed. You must subscribe to it in order to see this post.
