CONFIDENTIAL  //  TLP:AMBER  //  Finance & Procurement — Do not forward externally
Incident Response Report  ·  Ficsit Inc. Pioneer Division
VF-001: Vendor Fraud
Homoglyph Domain Attack — Fraudulent invoice for $23,847 delivered via acme-industr1al.com (numeral "1" substituted for letter "l") impersonating legitimate supplier Acme Industrial Supplies. Quarantined before inbox delivery.
Report ID
RPT-2026-VF-001
Email Threat ID
THREAT-003
Incident Type
Vendor Fraud — Homoglyph Domain Invoice
Severity
High — Financial Fraud Attempt
Status
Closed — Blocked, No Financial Loss
Fraudulent Invoice
INV-2026-0847
Requested Amount
$23,847 USD
Actual Loss
$0 — Quarantined
Target
l.park@ficsit-pioneer.corp
Impersonated Vendor
Acme Industrial Supplies
Fraudulent Domain
acme-industr1al.com
Legitimate Domain
acme-industrial.com
Section 01
Executive Summary
$0
Financial loss
$23,847
Invoice amount
2 days
Domain age at delivery
Quarantined
Email disposition
All FAIL
SPF / DKIM / DMARC
1
Vendor relations call

On May 26, 2026, Foyl MailGuard quarantined a fraudulent invoice email (THREAT-003) targeting l.park (Procurement Department) at Ficsit Inc. Pioneer Division. The email appeared to originate from Acme Industrial Supplies, a legitimate active supplier of Ficsit, but was sent from a homoglyph domain: acme-industr1al.com — using the numeral "1" in place of the letter "l" in "industrial." The domain had been registered just 2 days prior to the attack and failed all email authentication checks (SPF, DKIM, and DMARC).

The email presented a fraudulent invoice (INV-2026-0847) for $23,847 covering a plausible industrial supply order ("Pioneer Division Equipment Maintenance Q2"). The invoice included altered banking details — routing the payment to the attacker's account rather than the legitimate Acme Industrial bank account on file. The email body directed l.park to process payment within 5 days using the attached invoice PDF.

The email was quarantined automatically by MailGuard on a combination of signals: homoglyph domain detection, fresh domain registration (2 days old), SPF/DKIM/DMARC triple failure, and payment detail change instruction. No financial loss occurred. l.park was unaware of the email. Vendor verification with Acme Industrial confirmed they did not send this invoice and are aware their brand is being spoofed.

Key Finding
The attacker registered the homoglyph domain acme-industr1al.com specifically to target Ficsit, indicating prior knowledge of Ficsit's active vendor relationships — specifically their use of Acme Industrial Supplies. This represents either an OSINT operation against Ficsit's public procurement disclosures, or reconnaissance gathered from a prior breach of Ficsit procurement communications.
Section 02
Incident Overview
Incident IDVF-001
Email Threat IDTHREAT-003
Attack TypeVendor Fraud via Homoglyph Domain / Invoice Fraud
SeverityHigh — Financial fraud attempt; vendor relationship intelligence required
StatusClosed — Email blocked; no payment made; vendor notified
Fraudulent Senderbilling@acme-industr1al.com (numeral 1 substituted for letter l)
Display Name"Acme Industrial Supplies" (legitimate vendor name)
Legitimate Vendor Domainacme-industrial.com
Fraudulent Domainacme-industr1al.com
Domain RegisteredMay 24, 2026 — 2 days before attack
RegistrarGoDaddy — privacy protected registrant
Targetl.park@ficsit-pioneer.corp (Procurement Coordinator)
Invoice IDINV-2026-0847
Invoice DescriptionPioneer Division Equipment Maintenance Q2
Invoice Amount$23,847 USD
Payment Due Date5 business days from date of invoice
Email AuthenticationSPF FAIL, DKIM FAIL, DMARC FAIL (all three failed)
Email DispositionQUARANTINE — not delivered to inbox
Detection DateMay 26, 2026 · 09:18 UTC
Financial Loss$0 — payment never initiated
Vendor NotifiedYes — Acme Industrial confirmed domain is not theirs
Section 03
Timeline of Events
Prior
Recon
Attacker conducts OSINT to identify Ficsit Inc.'s active supplier relationships. Acme Industrial Supplies identified as a Ficsit vendor via public procurement records, press releases, or possibly via other compromised accounts. l.park identified as Procurement Coordinator via LinkedIn or public records.
May 24~09:00
Infrastructure
Homoglyph domain acme-industr1al.com registered via GoDaddy with privacy-protected registrant. MX records configured to enable email sending. No website content deployed — domain is purely for fraudulent email sending.
May 2609:18
Delivery Attempt
THREAT-003 received by Ficsit MailGuard. Sender: billing@acme-industr1al.com, display: "Acme Industrial Supplies". To: l.park@ficsit-pioneer.corp. Subject: "Invoice INV-2026-0847 — Pioneer Division Equipment Maintenance Q2". Attachment: INV-2026-0847.pdf (fraudulent invoice, 287 KB). SPF FAIL, DKIM FAIL, DMARC FAIL. Domain age: 2 days. MailGuard homoglyph detection flags acme-industr1al.com vs acme-industrial.com. Email quarantined. No inbox delivery.
09:18
Automated Response
MailGuard quarantine rule triggers. Threat investigation created. Security analyst notified. Incident VF-001 opened.
09:25
Investigation
Analyst confirms homoglyph: acme-industr1al.com (numeral 1) vs legitimate acme-industrial.com (letter l). WHOIS lookup: domain registered 2 days ago via GoDaddy, privacy protected. No SPF/DKIM records configured for the fraud domain — all authentication fails.
09:35
Verification
Analyst calls Acme Industrial Supplies at the phone number on file in the approved vendor registry (not the number listed in the suspicious email). Acme confirms: they did not send invoice INV-2026-0847, are not aware of any maintenance work in Q2, and have never used the domain acme-industr1al.com. They confirm their legitimate domain is acme-industrial.com. Acme advised to monitor for other victims.
09:45
Containment
Fraudulent domain acme-industr1al.com blocked at NGFW and email gateway. Domain submitted to threat intelligence for cross-reference. l.park confirmed they did not receive or see the email. Procurement team alerted to homoglyph vendor fraud risk.
10:00
Closure
VF-001 closed. No financial loss. Recommendations drafted. Vendor notification documented. ICANN/GoDaddy abuse report filed for acme-industr1al.com.
Section 04
Technical Analysis
4.1 Homoglyph Domain Analysis

A homoglyph attack (also called a lookalike domain or typosquat) exploits visual similarity between characters to register a domain that appears identical to a legitimate domain when read quickly. In this case, the numeral "1" (one) was substituted for the letter "l" (lowercase L) in "industrial" — a substitution that is virtually invisible in many fonts at normal reading sizes.

PropertyLegitimate DomainFraudulent Domain
Domainacme-industrial.comacme-industr1al.com (numeral 1)
Visual appearanceacme-industrial.comacme-industr1al.com (near-identical in most fonts)
RegisteredLong-establishedMay 24, 2026 — 2 days before attack
RegistrarEstablished corporate registrarGoDaddy — privacy protected
MX recordsProperly configuredConfigured for sending only (no website)
SPF recordv=spf1 include:_spf.acme-industrial.com ~allNone — SPF FAIL
DKIMProperly signedNot configured — DKIM FAIL
DMARCp=rejectNone — DMARC FAIL

The attacker chose this specific homoglyph technique because: (1) the substituted character is commonly confused in sans-serif fonts popular in email clients, (2) the domain was plausible enough to pass a quick human review, and (3) registering a homoglyph of an existing domain is easy and cheap. The domain had no website content, confirming it was registered solely for email-based fraud.

4.2 Email Authentication Failure Analysis

All three email authentication mechanisms failed for THREAT-003:

CheckResultReason
SPFFAILNo SPF record published for acme-industr1al.com. Sending IP had no authorization.
DKIMFAILNo DKIM signing configured on acme-industr1al.com. Email unsigned.
DMARCFAILNo DMARC record on acme-industr1al.com. Even if SPF/DKIM had passed, they would not align with the claimed sender domain. Legitimate domain (acme-industrial.com) DMARC policy is p=reject.
4.3 Invoice Fraud Detail

The fraudulent invoice (INV-2026-0847, PDF attachment) was crafted to mimic Acme Industrial Supplies' invoice format, including their logo and standard invoice layout. Key fraud indicators present in the invoice:

FieldFraudulent InvoiceFraud Indicator
Invoice NumberINV-2026-0847Sequential number in a plausible format — but not in Acme's actual invoice numbering system
Description"Pioneer Division Equipment Maintenance Q2"Plausible service description; Ficsit does have maintenance contracts
Amount$23,847.00Non-round number chosen to appear realistic rather than suspicious
Bank DetailsAltered bank name, account, and routing numbersKey fraud element — payment would route to attacker's account
Contactbilling@acme-industr1al.com / +1-555-0192 (fake)Fraudulent contact details to intercept any verification calls
Sender domain in bodyacme-industr1al.com throughoutConsistent fraudulent domain but visually nearly identical to legitimate
Payment terms"Due within 5 business days"Tight deadline creates urgency and discourages extended verification
4.4 Detection Signals

MailGuard flagged THREAT-003 via a combination of rules:

SignalValueSource
Homoglyph domain detectionacme-industr1al.com matches vendor acme-industrial.com (Levenshtein distance 1, numeral/letter substitution)MailGuard homoglyph engine
Domain age2 days — below 30-day threshold for known-vendor bypassWHOIS lookup
SPF FAILNo SPF record on sending domainEmail authentication
DKIM FAILEmail unsignedEmail authentication
DMARC FAILNo DMARC on sending domain; legitimate vendor has p=rejectEmail authentication
Invoice + banking detail changeEmail body instructs payment to new banking details different from vendor fileContent analysis
Vendor not in recent commsNo recent email from acme-industr1al.com (new domain)Communication history
Section 05
MITRE ATT&CK Mapping
TacticTechniqueIDObserved Behavior
ReconnaissanceGather Victim Identity InfoT1589Identified Ficsit's active vendor relationships (Acme Industrial) and procurement contact (l.park) via OSINT
Resource Dev.Acquire Infrastructure: DomainsT1583.001Registered acme-industr1al.com (homoglyph of acme-industrial.com) via GoDaddy 2 days pre-attack
Initial AccessPhishing: Spearphishing AttachmentT1566.001Fraudulent invoice PDF delivered as spearphishing attachment to procurement contact
Social EngineeringImpersonationT1656Vendor identity impersonated via homoglyph domain and display name matching legitimate vendor
ImpactFinancial TheftT1657$23,847 invoice fraud targeting altered banking details — payment would have gone to attacker account
Section 06
IOC Inventory
TypeValueConfidenceDescription
Domain acme-industr1al.com Confirmed Homoglyph fraudulent domain. Registered 2026-05-24 via GoDaddy. Configured for email only. Blocked at NGFW and email gateway.
Email billing@acme-industr1al.com Confirmed Fraudulent sending address. Blocked at email gateway.
Invoice INV-2026-0847 Confirmed Fraudulent invoice — $23,847 for "Pioneer Division Equipment Maintenance Q2." Confirmed by Acme Industrial as not issued by them.
Bank Account Attacker bank account — details on file with Finance Confirmed Fraudulent banking details included in invoice PDF. Do not process payment to these details. Under investigation.
Display Name Acme Industrial Supplies Confirmed Fraudulent display name used when sending from homoglyph domain. Add rule: Acme Industrial Supplies display name from non-acme-industrial.com domains should be blocked.
Section 07
Containment Actions
TimeActionByStatus
09:18 UTCEmail THREAT-003 quarantined — not delivered to l.park inboxMailGuard (automated)Completed
09:18 UTCSecurity analyst notified; VF-001 openedMailGuard (automated)Completed
09:25 UTCHomoglyph confirmed (acme-industr1al.com vs acme-industrial.com); WHOIS retrievedSecurity analystCompleted
09:35 UTCAcme Industrial contacted via on-file phone number — invoice confirmed fraudulent; vendor warnedSecurity analystCompleted
09:45 UTCacme-industr1al.com blocked at NGFW and email gatewaySecurity analystCompleted
09:45 UTCDomain submitted to threat intelligence; l.park confirmed unaware of emailSecurity analystCompleted
09:45 UTCProcurement team briefed on homoglyph vendor fraud; do not process invoices from non-registered domainsSecurity analystCompleted
10:00 UTCICANN / GoDaddy abuse report filed for acme-industr1al.comSecurity analystCompleted
10:00 UTCVF-001 closed — no financial loss, all containment completeSecurity analystCompleted
PendingAudit all registered vendor domains in approved vendor list for homoglyph exposureSecurity / ProcurementNot Started
PendingImplement vendor domain allowlist at email gatewaySecurityNot Started
Section 08
Root Cause Analysis

VF-001 was a vendor impersonation invoice fraud blocked before any financial impact. The attack succeeded in reaching MailGuard — it was stopped by automated detection, not by process controls. If MailGuard had not detected it, the email may have reached l.park's inbox and been processed as a legitimate invoice, particularly given the plausible format and timing (Q2 maintenance invoices are expected in this period).

C1
No Vendor Domain Allowlist at Email Gateway
The email gateway did not have a configured allowlist of approved vendor sending domains. An allowlist for active vendors (e.g., only accept emails claiming to be from Acme Industrial Supplies if they originate from acme-industrial.com) would have blocked this at the gateway layer even without the homoglyph detection rule firing.
High
C2
No Out-of-Band Payment Verification for New Banking Details
Procurement policy does not require out-of-band verification when an invoice presents banking details that differ from the details on file for that vendor. A policy requiring a confirmation call to a pre-registered vendor number before processing any payment with changed banking details would catch this attack even if the email were delivered.
High
C3
Vendor-Specific Intelligence Gap
The attacker was aware of Ficsit's relationship with Acme Industrial Supplies. This information is likely publicly available via procurement disclosures, but it may also indicate that a prior communication breach gave the attacker access to procurement email history. This warrants investigation into whether any Ficsit email accounts with vendor communication history were compromised.
Medium
Section 09
Recommendations
R1
Implement Vendor Domain Allowlist at Email Gateway
Create and maintain a registered vendor domain allowlist. Any invoice or payment-related email from a display name that matches a known vendor, but originating from a domain not in the allowlist for that vendor, should be quarantined and flagged for Procurement review before delivery. Cross-reference the approved vendor registry maintained by Finance.
High
R2
Require Out-of-Band Verification for Changed Banking Details
Establish a mandatory procurement policy: any invoice presenting banking account or routing details that differ from the approved vendor payment details on file must be verified via a direct phone call to the vendor's pre-registered number before processing. This policy would stop invoice fraud even when emails bypass automated detection.
High
R3
Audit Approved Vendor List for Homoglyph Domain Exposure
Run homoglyph analysis against the registered domains of all vendors in the approved vendor list. Identify which vendor domains are most at risk of typosquatting and register defensive homoglyphs for the highest-value vendors (top 10 by payment volume). Alert procurement staff to known homoglyphs.
High
R4
Vendor Fraud Awareness Training for Procurement Staff
Conduct targeted training for all Procurement and Finance staff on invoice fraud, vendor impersonation, and homoglyph domain attacks. Include practical exercises showing how similar acme-industrial.com and acme-industr1al.com look in common email clients. Update onboarding for Procurement roles to include this content.
Medium
R5
Investigate Whether Vendor Relationship was Exposed via Compromised Account
The attacker's knowledge of Ficsit's Acme Industrial relationship may indicate prior access to procurement email history. Review email access logs for l.park's account and any shared procurement mailboxes for unauthorized access in the 60 days prior to this incident. Cross-reference with IRON CHIMNEY IOCs to determine if the same actor conducted this reconnaissance.
Medium
Appendix A
Email Analysis — THREAT-003
THREAT-003 — Full Email Detail (as received by MailGuard)
QUARANTINED
--- HEADERS ---
From: "Acme Industrial Supplies" <billing@acme-industr1al.com>
To: l.park@ficsit-pioneer.corp
Subject: Invoice INV-2026-0847 -- Pioneer Division Equipment Maintenance Q2
Date: Mon, 26 May 2026 09:17:53 +0000
Message-ID: <INVOICE-2026-0847@acme-industr1al.com>
Content-Type: multipart/mixed; boundary="boundary_inv_0847"
X-Mailer: PHPMailer 6.8.0

--- AUTHENTICATION ---
Authentication-Results: mx.ficsit-pioneer.corp;
  spf=fail  (no SPF record found for acme-industr1al.com)
  dkim=fail (no DKIM signature)
  dmarc=fail (no DMARC policy for acme-industr1al.com;
              legitimate domain acme-industrial.com policy=reject)

--- MAILGUARD ANALYSIS ---
Vendor-fraud confidence: HIGH
Homoglyph match: acme-industr1al.com ≈ acme-industrial.com [Levenshtein=1, numeral/letter sub]
Domain age: 2 days (registered 2026-05-24)
Invoice content: payment instructions present
Banking detail change: DETECTED (differs from vendor file on record)
SPF: FAIL | DKIM: FAIL | DMARC: FAIL
Action: QUARANTINE  incident=VF-001

--- BODY ---
Dear l.park,

Please find attached invoice INV-2026-0847 for Pioneer Division Equipment
Maintenance services delivered in Q2 2026.

  Invoice #:   INV-2026-0847
  Date:        May 25, 2026
  Amount Due:  $23,847.00 USD
  Due Date:    June 2, 2026 (5 business days)

Please process payment to our updated banking details (please note our
banking information has recently changed):

  Bank:     Pioneer Commerce Bank
  Account:  [REDACTED FOR REPORT — on file with Finance]
  Routing:  [REDACTED FOR REPORT — on file with Finance]
  Payee:    Acme Industrial Supplies

If you have any questions, please contact us at:
billing@acme-industr1al.com or +1-555-0192

Thank you for your continued business.

Best regards,
Robert Haines
Accounts Receivable
Acme Industrial Supplies
billing@acme-industr1al.com
Appendix B
Domain Visual Comparison

The following comparison illustrates how the homoglyph substitution is nearly invisible in common email client fonts. Security awareness training should include this type of comparison.

Homoglyph Comparison — Character Position 14
Education
Legitimate vendor domain:
  acme-industrial.com
  Position 14: l  ← lowercase letter "L"

Fraudulent domain (this incident):
  acme-industr1al.com
  Position 14: 1  ← numeral "one"

In common sans-serif fonts (Arial, Helvetica, Calibri, etc.):
  "l" and "1" appear nearly identical.

Visual appearance in most email clients:
  acme-industrial.com   ← legitimate
  acme-industr1al.com   ← FRAUDULENT (visually indistinguishable without zoom)

Additional homoglyphs that should be monitored (not yet observed):
  acme-industria1.com   (numeral 1 for final l)
  acme-industrla1.com   (transposition + numeral)
  acme-1ndustrial.com   (numeral 1 for capital I)