Thread Hijacked: Breaking Down a Real Vendor Email Compromise Attack

What makes an employee willingly provide banking details to a cybercriminal? The answer isn't ignorance or carelessness—it's the dangerous convergence of human psychology, sophisticated social engineering, and increasingly accessible AI tools that are transforming how threat actors operate.

Today's vendor email compromise (VEC) attacks exploit fundamental aspects of how we work, communicate, and build trust with business partners. This psychological manipulation, combined with the inherent complexity of modern supply chains and the financial urgency often associated with vendor communications, creates a perfect storm of vulnerability.

In our recent analysis of employee behavior across 1,400+ organizations, we uncovered a sobering reality: VEC attacks achieve engagement rates as high as 72% among the largest enterprises. But raw statistics only tell part of the story.

Below, we break down a real-world attack in which a threat actor successfully engaged with an employee. This case study reveals not just how these attacks succeed, but why traditional security awareness training falls short against modern, socially engineered threats.

Note: The attack below was observed during a risk assessment in which the company had implemented Abnormal Email Security in passive, read-only mode, which means the Abnormal platform was integrated with the organization’s mail client but not actively blocking attacks. This is why the target was able to temporarily engage with the attacker.

Though awareness of modern attack tactics is growing, many professionals still operate under the assumption that today’s email threats are just as poorly worded or obviously malicious as those from ten years ago. But today’s cybercriminals continually improve their strategies and launch attacks that not only bypass legacy security tools but also trigger no alarm bells for the average employee, as these messages appear indistinguishable from real communications.

In the example below, the attacker poses as an employee at a construction equipment rental company, hijacks an existing thread with a partner, and attempts to divert future invoice payments.

The first email in a thread was a legitimate message from “T.B.,” a project manager at the equipment rental organization, to “L.W.,” an employee at a contracting services company, regarding an invoice for services rendered.

Three weeks after this email was sent, the bad actor hijacked the thread using a lookalike domain, which was registered about a week and a half earlier and differs by only one letter from the real domain—a nearly imperceptible change. For privacy purposes, all identifying information has been censored, but a comparable example would be if the real domain were missionus.com and the attacker’s email address was hosted on misionus.com.

Posing as “J.B.,” an accounts receivable specialist at the construction equipment rental company, the perpetrator contacted L.W. regarding an update to the organization’s payment processes. To increase the appearance of legitimacy, the threat actor copied and pasted the text of a fake email into the thread, making it seem as if they were following up on a previous message.

The fabricated message claimed that due to an ongoing account reconciliation audit, the company’s operating account had become inactive, and they were transitioning to electronic payments. The cybercriminal requested acknowledgment of the message so they could send new banking details. (As a note, had the customer not been in read-only mode, this is the point at which Abnormal would have remediated the message.)

The email contained no malicious links or attachments and had only minor grammar and punctuation issues. The attacker also used the impersonated employee’s real email signature with the company’s contact information and replaced T.B.’s address with a lookalike version hosted on the same maliciously registered domain.

Simply put, to most employees, the email would raise zero red flags, which is likely why L.W. replied to the threat actor and even added two colleagues to the thread to assist with the request.

Shortly after the target replied, the cybercriminal emailed again, this time posing as the project manager, T.B. To manufacture a sense of urgency, the bad actor claimed that the contracting services company had multiple outstanding invoices that were more than two months overdue.

L.W. once more responded and confirmed that as soon as the updated bank account information was provided, payment would be initiated.

At this point, Abnormal stepped in to prevent the attack from moving forward, despite being in passive-only mode.

While all text-based advanced email attacks are insidious and deceptive, vendor email compromise leverages several unique psychological and operational vulnerabilities that make it especially difficult to detect.

First is the inherent financial nature of the vendor-customer dynamic and the fact that billing and payments are routinely discussed via email. Consequently, malicious messages seemingly from vendors requesting changes to banking information or large fund transfers may not be immediately flagged as suspicious.

Further, the scale of some supply chains makes it nearly impossible for employees to be well-versed in every vendor's operations. Therefore, they simply don't have the context to recognize when a request is out of the ordinary. Even when the target is knowledgeable about the standard processes and which parties are usually involved, there is no guarantee that they will discern that something is amiss.

Cybercriminals who engage in VEC will monitor ongoing correspondence, learn typical patterns and behaviors, and patiently wait until the ideal time to strike. Often, they will download older invoices or statements and alter only the bank account information, leaving the modified documents essentially indistinguishable from the originals.

Threat actors will also use spoofed sender addresses or look-alike domains to increase the appearance of authenticity. Some even leverage actual compromised vendor accounts, frequently hijacking existing email threads to carry out the attack. The emails, originating from a legitimate account with no history of suspicious behavior, bypass signature-based security tools and land in the inboxes of employees who have no reason to believe the message is malicious.

The Role of AI in Amplifying Vendor Email Compromise

VEC occurs at a lower rate than other threats, like phishing, for several reasons. Chief among them is that attackers tend to choose the path of least resistance, and vendor email compromise, though lucrative, is a high-effort attack type. That being said, with the added capabilities of weaponized AI, even low-skill cybercriminals are increasingly able to execute these sophisticated, socially engineered attacks.

With AI-powered tools, attackers can generate remarkably believable messages that mirror real vendor communications, complete with realistic language, formatting, and urgency cues. In a tight job market, with economic uncertainty and persistent layoff concerns, employees may rush to resolve an apparent oversight—like a missing payment—without verifying the request. AI further amplifies this risk by helping bad actors make fraudulent invoices and follow-up messages more persuasive, increasing the likelihood of success.

As AI tools become more accessible and threat actors continue refining their social engineering techniques, the line between legitimate vendor communications and malicious impersonation will only blur further. Organizations cannot afford to rely on employees as the last line of defense against threats designed specifically to exploit human psychology and workplace behaviors.

The human element—our natural inclination to be helpful, respond quickly, and trust established relationships—will always remain a vulnerability that attackers can leverage. Thus, the path forward requires a fundamental shift in how we approach email security.

Rather than expecting employees to distinguish between increasingly sophisticated attacks and legitimate communications, we must implement AI-driven solutions that can detect the subtle behavioral anomalies and contextual inconsistencies that humans cannot reliably identify.

The future of VEC defense isn't about making employees perfect at spotting attacks; it's about building systems that make such precision unnecessary.

For even more insights into vendor email compromise, download our report, Read, Replied, Compromised: Data Reveals 44% Engagement Rate with VEC Attacks.