Campaign Pattern
Across Q1 and Q2, incident handlers reported a measurable increase in supplier-thread abuse where attackers inserted malicious payment change requests into active procurement conversations. The key shift is not volume but believability: operators now mirror historical writing tone, timezone signatures, and invoice formatting from the compromised mailbox.
Detection Signals
Security teams that rely primarily on domain and sender reputation controls are missing these messages because they often originate from legitimate infrastructure. Analysts noted that detection is now more dependent on behavioral context, including unusual attachment naming conventions, out-of-band payment routing, and subtle sequence anomalies in conversation flow.
Control Opportunities
Blue teams that added payment workflow controls saw better outcomes than organizations that focused only on message filtering. In several reviewed cases, mandatory secondary verification and account-change hold periods disrupted fraud attempts even when phishing messages initially landed in user inboxes.