Sign In Get Started Free
Challenge 006 Intermediate

The Vendor Invoice

2-3 hours Modules: Module 2, Module 3, Module 4

Incident Brief

Incident ID: AI-2026-06-001 Date/Time: Monday, 08 June 2026, 11:15 UTC Report Source: Finance team verbal report Assigned to: You

The Finance Director calls the SOC: “We received an email from Meridian Consulting updating their bank details for the quarterly invoice. It looks legitimate — it references our actual contract number and the correct invoice amount. But something feels off. The email came from their regular contact but the writing style seems different.”

The email details:

From: d.chen@meridian-consulting.com
Subject: RE: Q2 Invoice MER-2026-Q2 — Updated Banking Details
Date: Monday 08 June, 10:48 UTC

Hi Sarah,

Please note we have recently changed our banking provider. 
Our updated payment details for invoice MER-2026-Q2 (£47,250) are:

Account Name: Meridian Consulting Ltd
Sort Code: 20-45-78
Account Number: 41892067

Please process at your earliest convenience as the payment 
deadline is Wednesday.

Best regards,
David Chen
Senior Account Manager
Meridian Consulting

The Finance Director says: “David usually signs off with ‘Cheers’ not ‘Best regards’, and he would normally send this from their invoicing system, not a direct email.”

Your Investigation

Use AI to assist at each stage. For each phase, write the prompt you would use, run it, evaluate the output, and document your findings.

Phase 1: Email Analysis (30 minutes)

  1. Prompt the AI to analyse the email for BEC indicators. Provide the email text, sender information, and the Finance Director’s observations. Ask for: legitimacy assessment, social engineering indicators, and recommended immediate actions.

  2. You check the email headers (not shown to the Finance Director) and find:

Authentication-Results:
  spf=pass (sender IP matches meridian-consulting.com SPF)
  dkim=pass (valid signature for meridian-consulting.com)
  dmarc=pass
X-Originating-IP: 198.51.100.44
X-Mailer: Microsoft Outlook 16.0

SPF, DKIM, and DMARC all pass. This is not a spoofed email — it was sent from Meridian’s legitimate email infrastructure.

  1. Prompt the AI: Given that email authentication passes, what scenarios explain a legitimate-looking BEC email from a real vendor domain? What should you investigate next?

Phase 2: Vendor Account Compromise Assessment (30 minutes)

  1. You contact Meridian Consulting’s IT team. They confirm: David Chen’s M365 account was compromised via AiTM phishing 3 days ago. The adversary has been reading David’s email for 3 days, studying communication patterns with Northgate Engineering. They have not yet contained the compromise.

  2. Prompt the AI with the new context: the vendor’s account is compromised, the adversary studied 3 days of email to craft a convincing payment change request, and the vendor has not yet contained. Ask for: a complete impact assessment, a list of all Northgate Engineering communications that may be compromised, and recommended actions for both organisations.

Phase 3: Internal Exposure Assessment (30 minutes)

  1. Using your SIEM data, you find that 3 Northgate employees exchanged email with d.chen@meridian-consulting.com in the past 3 days:
sarah.jones@northgateeng.com - 8 emails (contract discussion)
m.patel@northgateeng.com - 3 emails (technical specifications)
finance-team@northgateeng.com - 2 emails (invoice queries)

  1. Prompt the AI to assess the data exposure: given the adversary had read access to David Chen’s mailbox for 3 days, what information about Northgate Engineering is compromised? Consider: contract values, payment processes, technical specifications, internal contact names, and communication patterns.

  2. The adversary now knows your contract value (£47,250), your payment contact (Sarah Jones), your payment process (email-based), and your invoice reference format (MER-YYYY-QN). Prompt the AI: What additional BEC attacks could the adversary execute with this information? What should you warn the finance team about?

Phase 4: IR Report (30 minutes)

  1. Prompt the AI to generate the executive summary for this incident. The CISO needs to understand: what happened, what was the exposure, what was done, and what the financial risk was.

  2. Prompt the AI to generate improvement recommendations. Focus on: payment verification procedures, vendor communication security, and detection rules that would catch similar attacks earlier.

Solution Notes

Reveal key analysis points

Phase 1: The email authentication passing is the critical insight. This is not domain spoofing — the adversary is sending from the real vendor account. Most SOC analysts initially look for authentication failures. When authentication passes, the investigation shifts from “is the email spoofed?” to “is the sender’s account compromised?”

Phase 2: Vendor account compromise changes the threat model entirely. The adversary has not just sent one BEC email — they have 3 days of intelligence on your organisation’s financial processes, contract values, and communication patterns. The exposure extends far beyond the single payment change request.

Phase 3: The adversary can craft additional BEC attacks targeting different payment relationships, impersonate Northgate staff to Meridian’s other clients, or sell the intelligence to other threat actors. The recommended action is to treat ALL email communication with Meridian as potentially compromised until their containment is confirmed.

Phase 4: The key improvement is a payment verification procedure that requires out-of-band confirmation (phone call to a known number, not a number in the email) for any bank detail change. This procedural control catches BEC regardless of whether the email is spoofed or sent from a compromised account.

← All Challenges