TL;DR A first-time external sender asked accounts payable and receivable mailboxes at a multinational manufacturer to confirm a $0.01 ACH test deposit. The message passed SPF, DKIM, and DMARC because it rode a legitimate, long-established vendor domain, likely through a compromised account. The one-cent amount was the tell: attackers use tiny validation deposits to confirm stolen or fabricated bank details work before moving real money. Themis flagged the behavioral mismatch and quarantined the thread. The lesson is that authentication proves origin, not intent, and payment confirmations demand out-of-band verification.
Severity: High Bec Vendor Email Compromise Credential Harvesting MITRE: T1566 MITRE: T1566.002

The email asked for one cent.

Not a wire, not a routing-number change, not a login. It landed in the accounts receivable and collections mailboxes of a multinational specialty-ingredients manufacturer with the subject ACH TEST CONFIRMATION, flagged high importance, and it made a small, reasonable request: please confirm receipt of a $0.01 ACH test deposit. It carried no links and no attachments. And it sailed through authentication clean, with SPF, DKIM, and DMARC all passing and a composite authentication score of 100.

That is exactly why it worked. A one-cent test deposit is one of the most boring things a finance team sees. It is also one of the most useful things an attacker can send. This was not a real bank micro-deposit verification. It was a dry run, a low-value ping designed to confirm that a bank account and routing pairing was live and monitored before anyone tried to move real money.

Why One Cent Is the Whole Attack

Micro-deposits are a legitimate banking mechanism. When you link a new account to a payment platform, the platform drops a few cents in and asks you to confirm the amounts. Fraudsters borrowed the pattern. A $0.01 ACH validation deposit tells an attacker two things at once: whether the account details they hold are valid and active, and whether a human on the other side will engage with an unsolicited payment message.

The moment a recipient replies to confirm, the attacker learns that the mailbox is live, that a real person is watching it, and that this person will act on ACH instructions without independent verification. That reply is the reconnaissance payload. The dollar amount is trivial on purpose, because the goal is not to steal a cent. It is to qualify a target for the fraudulent invoice or bank-detail change that comes next.

In this case, the recipients did reply. The follow-up messages in the Re: ACH TEST CONFIRMATION thread were caught and quarantined across the affected mailboxes over the following days, which cut the conversation off before it could escalate.

The Trap Was That It Was Real

The uncomfortable detail here is that the sending domain was legitimate. It was a long-established food-supplier domain registered more than two decades ago, actively used, with valid DKIM signing keys. The message authenticated because it genuinely originated on that domain's infrastructure. This is the signature of vendor email compromise, where an attacker operates from inside a trusted third party's real, authenticated mailbox rather than from a spoofed lookalike.

That distinction matters because it breaks the assumption most email defenses are built on. SPF, DKIM, and DMARC answer the question "did this message really come from the domain it claims?" They do not answer "should you trust what it is asking for?" A message sent through vendor email compromise passes all three checks by design. The 2024 Verizon Data Breach Investigations Report found that stolen credentials were involved in 38% of breaches, and once a real vendor mailbox is the launch point, authentication stops being a filter and starts being a credential the attacker gets to borrow.

The one behavioral fact authentication could not launder: this was a first-time sender to these mailboxes. A vendor that has never emailed your collections desk before, suddenly asking it to confirm an ACH test, is a contradiction. The message looked trustworthy and behaved like a stranger.

Reading the Signals a Gateway Missed

A traditional secure email gateway (SEG) grades on the artifacts it can see: bad links, malicious attachments, failed authentication, known-bad senders. This message had none of those. No URL to detonate, no file to sandbox, clean auth, and a domain with a spotless multi-year reputation. On paper it is indistinguishable from routine vendor correspondence.

Themis, the IRONSCALES agentic AI SOC analyst, scored it as phishing at 73% confidence by weighing behavior instead of artifacts. The combination that tipped it: a first-time external sender, an unusual payment-confirmation request, a high-importance flag, and a nominal test amount, arriving at finance role mailboxes. Adaptive AI models what normal looks like for each sender and recipient relationship, so the mismatch between "authenticated vendor domain" and "never contacted this team before, now wants an ACH confirmed" registered as anomalous even with every authentication check green.

See Your Risk: Calculate how many threats your SEG is missing

Mapped to MITRE ATT&CK, the technique is Phishing (T1566), specifically the link-and-reply reconnaissance style of Spearphishing via Service (T1566.002) adapted into a payment-confirmation pretext. The financial motive puts it squarely in business email compromise (BEC) territory, and the numbers there are not small. The FBI's 2023 Internet Crime Report attributes more than $2.9 billion in reported losses to BEC, and IBM's 2024 Cost of a Data Breach report continues to rank phishing among the costliest initial access vectors.

Indicators worth flagging

TypeIndicatorContext
SubjectACH TEST CONFIRMATIONPayment-confirmation lure, flagged high importance
Amount$0.01 ACH test depositAccount-validation ping, not a real transaction
Sender behaviorFirst-time external sender to finance mailboxesNever-before-seen relationship
AuthenticationSPF, DKIM, DMARC all pass, compauth=100Legitimate vendor domain, likely compromised
PayloadZero links, zero attachmentsNo artifact for a gateway to detonate

What Finance and Security Teams Should Change

The defense here is procedural first and technical second, because the attack targets a human decision.

Treat every payment confirmation as unverified until you verify it yourself. Do not confirm an ACH, a deposit, or a bank-detail change by replying to the email. Check the deposit directly in your banking or AP system, and reach the vendor through a phone number or portal from your own records, never from the message. A one-cent confirmation request should trigger the same out-of-band check as a six-figure wire.

Assume authentication can be borrowed. DKIM and DMARC are necessary, and you should still enforce them with active DMARC monitoring. But a passing result is not a trust decision. The 2024 Verizon DBIR identifies pretexting, most of it BEC, as the top social-engineering incident type, and vendor compromise is one of its cleanest delivery paths precisely because it authenticates.

Layer behavioral detection over the gateway. Artifact-based filtering cannot catch a payload-free message from a real domain. Anomaly detection that models sender, vendor, and payment behavior is what closes the gap on business email compromise and invoice fraud. The IRONSCALES platform pairs that Adaptive AI with a community of more than 35,000 security professionals, so a validation-ping pattern seen at one organization becomes a signal for the rest.

The attacker in this case spent one cent trying to learn whether your finance team would talk back. The cheapest control you have is a policy that says it never confirms money over email. The most durable one is a detection layer that reads intent, not just headers.

Email Attack of the Day is a daily series from IRONSCALES spotlighting real phishing attacks caught by Adaptive AI and our community of 35,000+ security professionals. Each post breaks down a real attack. What it looked like, why it worked, and what to do about it.

Related attacks

Attack What happened
The Zoho Invoice That Was Four Months Late (And Kept Its Receipts on Google Drive)A Zoho Books invoice for $802.50 arrived four months past due, passed initial authentication checks.
The Domain Was 14 Days Old. Zoho Authenticated It Anyway.A freshly registered domain used Zoho's transactional email service to pass SPF, DKIM, and DMARC checks.
The Audit Request That Passed Every Authentication Check: How a Compromised Nonprofit Account Weaponized URL ShortenersA phishing campaign hijacked a legitimate nonprofit email account to send fraudulent audit requests with malicious URL shortener links.
Every Authentication Check Passed. The Display Name Was the Weapon.An attacker impersonated a known contact's display name from an authenticated business domain, embedding a Google Form as the data-collection vehicle.
Mimecast SafeLinks Phishing: Wrapped URLs Hide Lookalike DomainsAttackers routed a credential-harvesting link through Mimecast SafeLinks so the recipient saw a Mimecast-rewritten URL.

Explore More Articles

Say goodbye to Phishing, BEC, and QR code attacks. Our Adaptive AI automatically learns and evolves to keep your employees safe from email attacks.