Compromised CFO mailbox → invoice fraud → wire fraud

§ Context

Assumed environment: a senior finance user already compromised via AITM / device-code phishing. The org regularly processes wire-transfer invoices via email. No out-of-band callback to verify wire changes.

§ Steps

1. 01
   AP processes the fraudulent transferInitial Access

   T1078— Valid Accounts
2. 02
   Wait for pending vendor invoiceInitial Access

   T1078— Valid Accounts
3. 03
   Session cookie replay → mailboxCredential Access

   T1539— Steal Web Session Cookie
4. 04
   Set hidden inbox rule (move to RSS)Collection

   M365-MAILBOX-FORWARD— Mailbox Forwarding Rule
5. 05
   AITM phishing of CFOInitial Access

   PH-AITM-EVILGINX— AITM Phishing — Evilginx / Modlishka
6. 06
   Edit wire details, resend from CFO mailboxImpact

   SE-BEC-INVOICE— Business Email Compromise — Invoice Fraud

§ References

• T1078Valid Accounts
• T1539Steal Web Session Cookie

§ Frequently asked

What is the "Compromised CFO mailbox → invoice fraud → wire fraud" attack path?

AITM phishing nets the CFO's M365 session. Attacker sets a mail rule to hide replies, edits a pending invoice's wire details, sends the modified PDF to AP from the legit mailbox. It chains 6 steps drawn from real-world offensive-security techniques.

What starting position does this attack require?

The first step is AP processes the fraudulent transfer (T1078) — a initial access primitive. Assumed environment: a senior finance user already compromised via AITM / device-code phishing.

What is the final impact of this kill-chain?

The final step lands on Edit wire details, resend from CFO mailbox (SE-BEC-INVOICE), which falls under Impact. From here, an operator typically pivots into post-exploitation or maintains persistence.

How can defenders detect or prevent this attack?

Detection and prevention vary per step. Refer to each linked MITRE ATT&CK entry under "References" — every technique on that page lists defensive controls, detection telemetry, and known threat-actor usage.

§ Related dossiers

• Shared techniques4

  AITM phishing (Evilginx) → M365 session theft → mailbox exfil

  Reverse-proxy phishing kit intercepts the entire login flow including MFA. Stolen session cookie → access M365 mailbox / SharePoint without retriggering auth.

• Shared techniques3

  FIDO2 caBLE hybrid → phone authenticator hijack

  Attacker phishing site shows the legitimate FIDO2 QR. Victim scans with their phone authenticator. The link completes the WebAuthn ceremony in the attacker's browser — they're now signed in as the victim.

• Shared techniques3

  Browser-in-the-Browser → credential theft on a trusted page

  Render a fake SSO popup inside the attacker page that looks like a real OS browser window. Victim types their credentials into the attacker's DOM.

• Shared techniques2

  Subdomain takeover → ACME DNS-01 → trusted cert for victim host

  Find a dangling CNAME / NS record. Claim the underlying resource; complete Let's Encrypt's DNS-01 challenge for the parent hostname. Now have a publicly-trusted cert for victim.example.com — chain into AITM.

• Shared techniques2

  5G core GTP-U user-plane injection → subscriber MITM

  Attacker on a transit network between mobile-core hops (or with compromised UPF). GTP-U packets are typically unfiltered between PEs; inject packets into subscriber bearers — credential capture, free-of-charge tunnels, downstream attacks.

• Shared techniques2

  Mass SMS phish → Okta-style portal → SaaS sprawl (0ktapus)

  Wide SMS phishing campaign targeting employees of ~130 organisations with a single phishlet that captures Okta credentials + push approval. Mass automated logins to Twilio, MailChimp, DoorDash et al.