Mimecast has uncovered a large-scale business email compromise (BEC) invoice fraud campaign targeting global organisations across multiple industries using urgent payment requests to exploit time-sensitive business processes.
The attackers deploy sophisticated automation including AI-generated email content, programmatic file creation, and headless browser technology generating PDF invoices before distribution. The campaign also employs advanced deception techniques combining fake email threads with fabricated CEO confirmations and automated HTML construction establishing false legitimacy.
“This campaign represents a significant evolution in BEC tactics, combining traditional social engineering with advanced automation using Artificial Intelligence to create convincing fabricated conversations between executives and external service providers,” says Mimecast threat research engineer, Hiwot Mendahun. “The threat actors construct fake email chains that appear to show legitimate business correspondence, with each thread carefully crafted to include CEO or senior executive approval for urgent invoice payments. The campaigns demonstrate clear signs of automation – from AI-generated email content to programmatically created PDF attachments that are generated using headless browser technology immediately before email transmission.”
Technical analysis of the campaign reveals several indicators of automated deployment.
Linguistic and structural analysis of the email body revealed characteristics – such as highly fluent language, coherent context, and lack of typical grammatical errors – that are strongly indicative of content generated by a Large Language Model (LLM) rather than crafted manually.
The email HTML contains several embedded comments which illustrates what should go in each section of the email.
Additionally, in some campaigns non-standard formatting elements like <wbr /> tags and manually inserted visual dividers are used which indicates systematic generation rather than authentic email forwarding.
The fake email threads typically follow a predictable pattern: an initial invoice from a purported vendor, followed by executive confirmation, and concluding with urgent payment instructions.
Common subject lines include “Invoice for Ad Spend,” “INV #[numbers],” and “Final Reminder Your Payment,” designed to create urgency and legitimacy. The campaigns impersonate well-known brands and services with examples including LinkedIn, various consulting firms, and advertising platforms. Each fabricated thread is customised to the target organization incorporating actual employee names and business contexts to enhance credibility.
File analysis
The PDF attachments show consistency in their metadata, all created using identical technical specifications: Mozilla/5.0 HeadlessChrome/138.0.0.0 with Skia/PDF m138 as the producer. File creation timestamps reveal the invoices are generated just moments before email is sent, with identical file sizes across different campaigns pointing to automated template processing.
Impersonated entities so far:
Based on related campaigns, Mendahun says the Mimecast Threat Research team saw two levels of payment requests: one where a general professional type of service is provided and where the payment requested is generally lower – around $4 850 to $10 000; however, in the campaigns which impersonated well-known brands there were significantly higher requests: LinkedIn – $12 000 to $80 000; ZoomInfo – $50 000 to $90 000; and Proforma – $50 000 plus.