ANATOMY OF A $47,000 PHISHING ATTACK YOUR SPAM FILTER WOULD MISS

By Ṣọ Email Security2 min read

84.2% of phishing emails pass DMARC authentication. Here's exactly how business email compromise attacks unfold and why traditional filters miss them.

email securityphishingBECDMARCspam filterscybersecurity

Here's something that should keep you up at night: 84.2% of phishing emails pass DMARC authentication, according to Egress's 2024 Phishing Threat Trends Report.

That statistic explains why business email compromise keeps working. Let me break down exactly how these attacks unfold and why traditional filters miss them.

The typical target

Small to mid-sized firms with regular vendor relationships. Attackers look for predictable payment patterns: monthly retainers, recurring invoices, established contractors. They spend days or weeks gathering intelligence through LinkedIn, company websites, and previous breaches.

The person who handles payments becomes the focal point. Not because they're careless, but because they're efficient.

The attack sequence

Step 1: Attackers compromise a vendor's email account, often through a separate phishing campaign targeting someone with weaker security practices.

Step 2: They study the email history. Formatting conventions. Invoice templates. Payment timing. Tone of communication.

Step 3: Using the legitimate vendor account, they send an invoice that matches every previous pattern. One modification: updated banking details, usually with a plausible explanation like "new accounting system" or "switching banks."

Step 4: The recipient reviews the email. DMARC passes. SPF passes. DKIM passes. No warnings appear. Payment gets processed.

Step 5: Days or weeks later, the real vendor calls about an unpaid invoice.

What gets missed

The recipient followed protocol. They verified the sender (legitimate). They confirmed authentication passed (it did). The invoice looked right.

What they couldn't detect without specialized tools: banking details that didn't match historical records, PDF metadata inconsistencies, or the fact that this "updated account" was days old.

What actually stops this

Authentication protocols verify origin, not intent. When attackers use a compromised legitimate account, every traditional check passes.

Detection requires behavioral analysis, historical comparison of financial details, and real-time verification. The question isn't whether the email is authentic. It's whether the request makes sense.

Your spam filter isn't broken. It's just solving yesterday's problem.