Well not really, but it did get your attention. And someone did try (but failed) to hack us!
Summary
A threat actor miserably failed at an attempt to Business Email Compromise (BEC) Team Invictus. Yes, they targeted us. No, we were never compromised. We played along, tracked them, and uncovered their whole campaign.
Save 20% on training & labs with code BLACKFRIDAY25 (limited time)
Introduction
Recently, our inbox pinged with what looked like a normal customer inquiry. The sender, supposedly from a pharmaceutical company, asked about purchasing our “automated analysis system.” Only one problem: We don’t sell anything called an automated analysis system. We never have.
Still, they wanted product specs, a catalogue, and pricing ASAP. We were confused. We were curious. And we were pretty sure something wasn’t right. So instead of deleting the email? We leaned into it.
While they thought they were reeling us in, we were quietly collecting everything we needed. Behind the scenes, we began extracting technical indicators, mapping their infrastructure, and building a picture of the broader campaign they were running.
The Ask That Sparked the Investigation
This campaign began with a seemingly legitimate inquiry from a US-branch of a pharmaceutical company. The email address and employee name were real, and OSINT checks confirmed their identity and business; though outreach attempts received no response. The request referenced an “automated analysis system,” which we do not offer. We also noticed the use of UK spelling (“catalogue”) despite the sender being US-based, which raised mild suspicion. We replied seeking clarification on their needs.
In response we requested more information on the request and what they were looking for. The conversation quickly shifted toward payment terms, which is unusual for an initial discussion.
The threat actor then sent “detailed information" via WeTransfer, the detailed information was an HTML file.
The HTML file redirected to an Adversary-in-the-Middle (AiTM) Microsoft 365 phishing page hosted on: digiusa[.]xyz. Based on the URL structure and credential interception workflow, this matched patterns associated with the EvilProxy framework, as documented by Sekoia.
At this point, it is quite clear that this is a BEC threat actor. BEC is a type of cybercrime where threat actors impersonate a trusted person in a business to trick employees into sending money and/or sensitive information. But we didn’t stop with just a phishing page from this threat actor. Team Invictus has dubbed this threat actor the VendorVandals.
Following the Infrastructure Trail
We expanded from the initial phishing domain using pDNS data and hosting fingerprints, uncovering a broader network of related infrastructure.
Initial domain
- digiusa[.]xyz hosted on 104.145.210[.]76
Domains identified via pivoting on the original IP
- propelladata[.]xyz
- refactusaonline[.]space
Additional IPs with matching hosting provider and http response details
- 202.155.8[.]248
- 104.145.210[.]73
Additional associated domains from those new IPs
- digius[.]space
- naronusaonline[.]space
- naronusa[.]space
The expanded visibility provided us with indicators of a broader, ongoing phishing campaign that likely began as early as 20 October 2025 based on domain registration dates.
The Playbook Behind the Emails
Further pivots showed other phishing lures that consistently impersonated legitimate procurement workflows. Subject lines and filenames referenced requirements, technical specifications, or vendor onboarding, positioning the attacker as a buyer conducting standard sourcing activity.
Observed examples included:
- “Victim Name” + “Requirements”
- “Victim Name” + “Requirements” + “Target Name”
- “Project_Procurement_Requirements_Specifications”
- “Technical Specifications and Vendor Registration Form”
This procurement-driven social engineering aligns with broader trends we’ve observed in financially motivated BEC, where the threat actor’s aim is to gain initial access into a high-trust mailbox to enable fraud downstream. The goal is often to hit as many targets in each victim’s address book to increase chances of financial gain.
Analysis of the emails we received show that the flow of communication appeared structured. The language itself is unlikely to be LLM-generated. For example, the message we received contained “hope this message meets you well” and “We now await your quotation” which is odd English for an LLM and Western native-speakers. Instead, the interaction felt scripted from a playbook. The language used further suggests the threat actor or playbook author is a non-native English speaker using a standardized script, most consistent with South Asian or West African business English conventions.
The script showed enough professionalism to maintain surface-level credibility, but it lacked the relationship-building and context that typically accompany legitimate procurement conversations. Rather than establishing trust, the actor relied entirely on the credibility of a compromised but legitimate email inbox. This minimal investment in rapport, paired with repetitive, templated phrasing, reinforces that this is a high-volume, opportunistic campaign.
Another notable aspect was the use of WeTransfer to deliver the phishing page. This is not an original technique for BEC threat actors, as we’ve talked about this previously in another case from earlier in the year. The reliance on WeTransfer likely helps evade common email security scanners, increasing the likelihood of engagement with the phishing page. Overall, the threat actor’s goal appears to be rapid credential harvesting rather than targeted social engineering, aligning with the behavior of a relatively unsophisticated BEC threat actor attempting to operate at scale.
Industries in the Crosshairs
Based on additional phishing lures found via pivoting on the infrastructure, we extracted the domains being targeted. These domains provided us with a window into just how widespread and opportunistic this campaign is.
Prevention & Detection
Every attempted exploit is an opportunity to learn and protect others. To prevent AiTM attacks by BEC threat actors and beyond, it’s important to implement strategies that strengthen authentication and limit the threat actor's ability to bypass security measures.
Here are some important prevention measures:
Use Conditional Access
- Require MFA for risky sign-ins (new device, location, or sensitive action)
- Allow access only from compliant, managed devices
- Enforce phishing-resistant MFA wherever possible
- Restrict authentication tokens to the device where they were issued (preview feature)
On the detection side, you can leverage mail trace information or email protection tools.
- Search for files being shared via services such as (WeTransfer/Dropbox).
- Searching for HTML files/attachments, since most of the legit sharing is files such as PDF/XLSX etc.
Indicators of Compromise (IOCs)
We have also uploaded these IOCs into a repository on our GitHub. We track this activity as VendorVandals (BEC-UNK-0014), a low-maturity business email compromise threat actor with currently unknown origins.
How can we help?
BEC isn’t going anywhere any time soon, but neither are we. We are an incident response company and we ❤️ the cloud and specialize in supporting organizations in preparing and responding to a cyber attack. We help our clients stay undefeated!
🆘 Incident Response support reach out to cert@invictus-ir.com or go to https://www.invictus-ir.com/24-7