One of our German clients was recently informed by an administrator from another company that invoice emails containing malware were being sent using our client’s email templates.

Upon initial investigation, it was discovered that the customer and invoice numbers in the malicious emails belonged to a legitimate customer of our client. This indicates that the threat actor likely obtained an original email through the compromise of a customer’s email account and used its content to launch their malicious campaign.

The reporting administrator provided us with the entire email, including the malicious attachment, for further analysis.

Through this, we were able to thoroughly investigate and uncover the infection chain.