Saturday afternoon. The accounts payable inbox at a clean energy research firm receives an invoice for $15,247.75 from "Global Trade Audit, Clearing Division." The subject line is professionally formatted: invoice number, dollar amount, company name. Three PDFs are attached: the invoice itself, a memo, and a completed W-9 form with an Employer Identification Number.
For an AP clerk processing weekend invoices, this email checks every box on the verification checklist.
Invoice? Present.
Memo with context? Present.
W-9 with EIN? Present.
Bank routing details for wire transfer? Right there in the body.
The domain that sent it was two days old.
Most invoice phishing attacks are easy to spot because they're incomplete. They reference invoices without attaching them. They provide bank details without supporting documentation. They're missing the small details that real vendor communications include.
This attack was different. The attacker built a complete vendor payment package:
The invoice (INV_COMMONWEALTH_FUSION_SYSTEMS_INV-20260314-83418F.pdf): Listed a specific amount ($15,247.75), invoice number, and billed organization. AP coding included GL Account 742000, Cost Center "Enterprise Operations," and a "Non-PO Invoice" designation. These are the exact internal accounting fields that make an invoice look like it belongs in the system.
The memo (MEMO_COMMONWEALTH_FUSION_SYSTEMS_INV-20260314-83418F.pdf): Provided context for the charge. Memos are rarely included in phishing because most attackers don't know that legitimate vendor communications often include them. Their presence here signals a more sophisticated operation.
The W-9 (W9_ASLC_GROUP_SYNZA.pdf): A filled-out IRS Form W-9 for "Synza, Inc." with an EIN (38-4378893) and a Newark, Delaware address. The PDF was created with ReportLab on March 3, 2026. For AP teams that require W-9s before processing new vendor payments, this attachment removes the objection that would normally trigger a verification call.
The email body reinforced the ask with explicit wire transfer instructions: account number, ABA routing number, and SWIFT code for international transfers.
(According to the FBI's IC3, payment diversion through fraudulent wire instructions accounted for the majority of BEC losses in 2024.)
The sending domain, globaltradeaudit[.]org, was registered on March 12, 2026, two days before the invoice was sent. WHOIS records showed no public registrant name or organization. The domain's DNS was configured with a single critical record: an SPF include for Amazon SES (include:amazonses.com).
No DMARC policy was published. No MX records existed for the domain (it was never set up to receive email, only to send). This is a common pattern in purpose-built phishing infrastructure: configure outbound authentication just enough to land in inboxes, but invest nothing in the domain beyond that single campaign.
The email was sent through Amazon SES (a8-242.smtp-out.amazonses[.]com), which provided legitimate sending infrastructure and deliverability reputation. It then passed through the target organization's Mimecast gateway, which logged it with a spam score of 3 and ran impersonation protection checks. Neither the VIP impersonation check nor the Google Drive bank impersonation check triggered.
| Type | Indicator | Context |
|---|---|---|
| Domain | globaltradeaudit[.]org |
Sending domain (registered 2026-03-12) |
billing@globaltradeaudit[.]org |
Sender address | |
| IP | 54[.]240[.]8[.]242 |
Amazon SES sending IP |
| Hash (MD5) | 14a55a09c779a396ff37e326fd1884f2 |
W-9 PDF |
| Hash (MD5) | 9c4cf28d02369cd88732cc981a983ce8 |
Memo PDF |
| Hash (MD5) | 5f0cef323a33895360f0e77ae8d043dc |
Invoice PDF |
| Domain | awstrack[.]me |
Tracking pixel domain |
See Your Risk: Calculate how many threats your SEG is missing
Embedded in the email body was a 1x1 tracking pixel hosted on awstrack[.]me, an AWS-associated tracking domain. When the AP clerk opened the email, the pixel fired, notifying the attacker that the message had been read.
This isn't just surveillance. It's operational intelligence. Attackers who know their email was opened can time follow-up pressure precisely. A "friendly reminder" about the outstanding invoice, sent 48 hours after confirmed delivery, feels routine rather than aggressive. IBM's 2024 Cost of a Data Breach Report found that phishing attacks with follow-up social engineering have a significantly higher success rate than single-touch attempts.
What makes this attack dangerous isn't the presence of red flags. It's their subtlety:
globaltradeaudit[.]org to the target organization. An alert employee, Brent Bendson, reported it through the IRONSCALES reporting button, triggering investigation and quarantine.That report mattered. Because Brent flagged the email, the IRONSCALES platform could analyze the full attack chain and propagate intelligence about globaltradeaudit[.]org across its community of over 35,000 security professionals. One employee's vigilance became protection for thousands of organizations.
Require out-of-band verification for new vendors. When a W-9 and invoice arrive from a first-time sender, call a phone number you find independently (not one listed in the email) to confirm the relationship exists.
Cross-reference EINs. The IRS offers Tax Exempt Organization Search tools, and commercial services can validate EINs against registered entities. A W-9 with a valid-looking EIN doesn't mean the entity is legitimate.
Flag non-PO invoices from external senders. Invoices explicitly coded to bypass purchase order verification should trigger additional scrutiny, not less. Attackers know that non-PO coding reduces the number of people who need to approve payment.
Deploy behavioral email security. Domain age, sender history, attachment patterns, and community intelligence are the signals that catch what authentication alone misses. When every technical check passes, behavioral context is all that's left.
Try It Free: Start your free trial of IRONSCALES