One of our clients recently received an email claiming an unpaid invoice required immediate action. The attachment was a RAR archive—an immediate red flag, especially as all recipients were undisclosed. Understandably, our client reached out to verify the legitimacy of the message.

Upon inspection, it was clear this was a phishing attempt. But what caught our attention was the fact that it had successfully bypassed the client’s mail filters. This warranted a deeper look into the attack chain and the threat actor’s tactics.

One of our German clients was recently informed by an administrator from another company that invoice emails containing malware were being sent using our client’s email templates.

Upon initial investigation, it was discovered that the customer and invoice numbers in the malicious emails belonged to a legitimate customer of our client. This indicates that the threat actor likely obtained an original email through the compromise of a customer’s email account and used its content to launch their malicious campaign.

The reporting administrator provided us with the entire email, including the malicious attachment, for further analysis.

Through this, we were able to thoroughly investigate and uncover the infection chain.