foyl Scenarios / VF-001
Medium Vendor Fraud Intercepted 3 tools ~15 min walkthrough

Vendor Fraud

Threat actor TA-002 COBALT MANTIS registers acme-industr1al.com, a homoglyph of the real acme-industrial.com (the "l" in "industrial" is swapped for a "1"). They send l.park a convincing billing email requesting a bank account change for a $23,847 wire. MailGuard catches it as THREAT-003 and quarantines it. Two hours later, CASB detects l.park uploading vendor contracts including acme_nda_2024.pdf and vendor_pricing_q4.xlsx to her personal Google Drive, suggesting she may have already been in contact with the attacker before the quarantine.

Attack chain
01
Domain Spoof
acme-industr1al.com homoglyph registered by TA-002 COBALT MANTIS
T1583.001
02
Billing Fraud
Bank account change email to l.park. $23,847 wire request
T1566.001
03
Data Exposure
l.park uploads vendor contracts to personal Google Drive (CASB DLP-006)
T1213
04
Intercepted
MailGuard quarantines THREAT-003. Wire transfer blocked
T1657
Tool involvement
Email
VF-001 · THREAT-003 (quarantined, acme-industr1al.com homoglyph) Vendor Fraud ↗
TIP
TA-002 COBALT MANTIS · CAM-002 MANTIS BEC Sweep · IOC-006 · IOC-022 Threat Actors ↗
CASB
DLP-002 · DLP-006 (vendor contracts uploaded by l.park 2h post-phish) DLP ↗
Key concepts covered

Techniques in this scenario

Homoglyph A domain that replaces one character with a visually identical one. "acme-industr1al.com" with a numeral 1 instead of a lowercase L is nearly impossible to spot at a glance
Vendor fraud Impersonating a real vendor to redirect payments. More targeted than CEO fraud because the attacker has done research on actual vendor relationships
Supply chain risk Attackers compromise or impersonate a trusted third party to get access to the target organization's finances or data
Shadow exfil Data leaving through a personal cloud account. l.park uploading vendor contracts to Google Drive suggests either compromise or social engineering success
Instructor walkthrough

Click each step to expand. Open the linked tool page, walk through what's there, then ask the discussion questions.

01 Email Show the homoglyph domain and the quarantined email

Open MailGuard and go to Vendor Fraud. Find VF-001. Then go to Threats and open THREAT-003. Show the email: it's from billing@acme-industr1al.com and asks l.park to update bank account details before processing the next payment. Write both domains on a whiteboard if possible: acme-industrial.com (real) vs acme-industr1al.com (attacker). Ask students to spot the difference. Most won't catch it at first glance.

Open Vendor Fraud ↗
AskIf you received this email and weren't specifically looking for homoglyphs, would you catch it? What would have to be different about your normal workflow?
AskWhat technical controls can detect homoglyph domains automatically? How does MailGuard know to flag it?
02 TIP Look up TA-002 COBALT MANTIS

Open the TIP and go to Actors. Find TA-002 COBALT MANTIS. Show the profile: this group specializes in vendor fraud and BEC campaigns, targeting finance and procurement teams at mid-size companies. Then go to Campaigns and show CAM-002 MANTIS BEC Sweep, which links VF-001 to a broader campaign. Go to IOCs and show IOC-006 (the homoglyph domain) and IOC-022 (related C2 infrastructure). Note that TA-002 is a separate actor from TA-001 IRON CHIMNEY, which shows two separate threat actors were active against Ficsit Inc. at the same time.

Open Threat Actors ↗
AskTwo different threat actors hit Ficsit at the same time. Is that a coincidence? What reasons might explain it?
AskHow do you add a new IOC from an active incident to the TIP so it protects other customers or internal teams?
03 CASB Find the vendor contract uploads

Open CASB and go to DLP. Find DLP-006: l.park uploaded acme_nda_2024.pdf and vendor_pricing_q4.xlsx to her personal Google Drive two hours after THREAT-003 was sent. This is the piece that changes the picture. MailGuard quarantined the email, but the data movement in CASB suggests l.park may have already been in contact with the attacker through another channel, or her account was compromised separately. Point out that this is where the investigation would expand beyond just the email.

Open DLP ↗
AskThe email was blocked but data still moved. What does that tell you about relying on a single control to stop an attack?
AskIs uploading files to personal Google Drive always a DLP incident? How do you write a policy that catches malicious exfil without flagging normal employee behavior?