BEC Campaign Using AI Generated Fake Email Threads

11 August 2025

By Hiwot Mendahun and the Mimecast Threat Research Team

Campaign Overview

The Mimecast Threat Research team has identified a Business Email Compromise (BEC) campaign that leverages automated fake email threads to execute invoice fraud at scale (tracked internally as MCTO5003). This campaign represents a significant evolution in BEC tactics, combining traditional social engineering with advanced automation using Artificial Intelligence to create convincing fabricated conversations between executives and external service providers. The threat actors construct fake email chains that appear to show legitimate business correspondence, with each thread carefully crafted to include CEO or senior executive approval for urgent invoice payments. The campaigns demonstrate clear signs of automation, from AI-generated email content to programmatically created PDF attachments that are generated using headless browser technology immediately before email transmission

Technical Analysis of the campaign reveals several indicators of automated deployment.

Linguistic and structural analysis of the email body revealed characteristics—such as highly fluent language, coherent context, and lack of typical grammatical errors—that are strongly indicative of content generated by a Large Language Model (LLM), rather than crafted manually.

The email HTML contains several embedded comments which illustrates what should go in each section of the email.

<!-- ORIGINAL INVOICE NOTICE --> (FAKE)

<!-- CEO CONFIRMATION --> (FAKE)

<!-- COLLECTION FOLLOW-UP --> (FAKE)

<!-- CEO EMAIL FOLLOW-UP --> 

<!-- FINAL NOTICE TO ACCOUNTING --> (FIRST MESSAGE TO TARGET FINANCE TEAM)

Additionally, in some campaigns there non-standard formatting elements like <wbr /> tags and manually inserted visual dividers are used which indicates systematic generation rather than authentic email forwarding.

The fake email threads typically follow a predictable pattern: an initial invoice from a purported vendor, followed by executive confirmation, and concluding with urgent payment instructions. Common subject lines include "Invoice for Ad Spend," "INV #[numbers]," and "Final Reminder Your Payment," designed to create urgency and legitimacy. The campaigns impersonate well-known brands and services, with examples including LinkedIn, various consulting firms, and advertising platforms. Each fabricated thread is customized to the target organization, incorporating actual employee names and business contexts to enhance credibility.

File Analysis

The PDF attachments show consistency in their metadata, all created using identical technical specifications: Mozilla/5.0 HeadlessChrome/138.0.0.0 with Skia/PDF m138 as the producer. File creation timestamps reveal the invoices are generated just moments before email is sent, with identical file sizes across different campaigns pointing to automated template processing.

Based on related campaigns we saw two levels of payment requests; one where general professional type of service is provided where the payment requested is generally lower around $4,850 - $10k. However, in the campaigns which impersonated well-known brands we saw a significantly higher requests;

LinkedIn: ~12k - 80k

ZoomInfo: ~50k - 90k

Proforma: ~50k

Mimecast Protection

Mimecast has implemented comprehensive detection capabilities to identify and block emails associated with this automated BEC campaign. We continue to monitor for evolving tactics and techniques used by these threat actors to ensure our customers remain protected against this sophisticated threat. View the Advanced BEC Protection page to learn more about how our advanced AI and Natural Language Processing capabilities aid in the detections of evolving threats.

Targets:

Global organizations across all industries

Indicators of Compromise (IOCs)

Common Subject Lines:

• Effective Monthly Billing Overview
• Scalable Monthly Consulting Recap
• Overdue #INV103068 for [company]
• Final Reminder Your Payment on INV #[number]
• Invoice for Ad Spend through [dates]

Sender Domains:

• zuki.com.vc
• adspendplatf.onice.io
• consumercomplaintonline.com
• outboundemailprotecction-onmsn.com
• june1.tw
• active-r.co.jp
• Consultant.com

File Patterns:

• BS-INV-2025-0631.pdf
• DD-INV-2025-0631.pdf
• TG-INV-2025-0631.pdf

Technical Indicators:

• PDF Creator: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) HeadlessChrome/138.0.0.0 Safari/537.36
• PDF Producer: Skia/PDF m138
• File sizes: Consistently 57 kB across campaigns
• HTML comments:  <!-- CEO EMAIL FOLLOW-UP -->  , <!-- ACCOUNTING TO CEO --> 

Recommendations

Email Security Controls

• Deploy Advanced BEC Protection to identify fake email thread construction and non-standard HTML formatting patterns
• Implement attachment analysis to detect programmatically generated PDFs with suspicious metadata signatures
• Configure content examination policies to flag emails containing urgent payment requests with executive impersonation

Process Controls

• Establish multi-channel verification procedures for all invoice payments, requiring voice or in-person confirmation for urgent requests
• Implement segregation of duties for payment processing, ensuring no single individual can authorize payments based solely on email instructions
• Create standardized vendor onboarding processes that include verified contact information and payment details

User Awareness Training

• Educate finance and accounting teams on the latest BEC tactics, particularly the use of fake email threads with executive impersonation
• Conduct regular phishing simulations that specifically test recognition of fabricated conversation threads and urgent payment scenarios
• Train employees to identify suspicious technical indicators such as unusual reply-to addresses and sender domain inconsistencies.

Proactive Threat Hunting:

• Search email receipt logs for IOC’s indicated in this notification
• Monitor for sudden increases in invoice-related emails from new or unverified domains