SE-BEC-INVOICEImpact

Business Email Compromise — Invoice Fraud

Take over a CFO/AP mailbox or spoof a vendor domain; alter a pending invoice's wire-transfer details — funds redirect to attacker.

§ Where this technique fits

SE-BEC-INVOICE is catalogued under the Impact tactic of the offensive-security kill-chain. It appears in 2 approved dossiers in the registry, typically at step 6 on average.

§ Dossiers chaining this technique

Compromised CFO mailbox → invoice fraud → wire fraud
AITM phishing nets the CFO's M365 session. Attacker sets a mail rule to hide replies, edits a pending invoice's wire details, sends the modified PDF to AP from the legit mailbox.
step 5 / 6
Permissive SPF / DMARC p=none → CEO impersonation BEC
Target publishes SPF ~all and DMARC p=none. Send mail from attacker IP with a forged From: <ceo@target.com>; gateway delivers as-is. Combine with display-name spoof for a credible BEC.
step 7 / 7

§ What commonly comes next

01
Valid Accounts
T1078 · Initial Access
seen 1×

§ Where this technique fits

§ Dossiers chaining this technique

Compromised CFO mailbox → invoice fraud → wire fraud

Permissive SPF / DMARC p=none → CEO impersonation BEC

§ What commonly comes next