TL;DR: Public sector procurement and finance teams are facing a BEC pattern that uses impersonation, lookalike domains, Reply-To manipulation, and AI-generated content to evade payload-centric defenses, with Proofpoint citing 40% of attacks using AI-generated content and BEC accounting for 73% of reported cyber incidents in 2024. Static detection is no longer enough when the attack is the conversation itself.
At a glance
What this is: This is an analysis of a payload-less business email compromise campaign targeting public sector procurement workflows through impersonation, domain spoofing, and reply-chain manipulation.
Why it matters: It matters because email security, fraud controls, and identity governance all fail when trust is based on message appearance rather than sender legitimacy, relationship context, and approval workflow integrity.
By the numbers:
- 40% of attacks now using AI-generated content
- BEC attacks accounted for 73% of all reported cyber incidents in 2024
- the BEC score of 100
👉 Read Proofpoint's analysis of payload-less BEC in public sector procurement
Context
Business email compromise is a fraud technique that uses impersonation and social engineering rather than malware to redirect money, approvals, or sensitive information. In this case, the primary weakness is not a malicious attachment but the assumption that a polished message, a plausible sender name, and a legitimate-looking document indicate legitimacy. That is a governance failure across email security, procurement controls, and human verification processes.
The identity angle is indirect but real. Attackers are exploiting organisational trust in external identities, reply-chain behaviour, and delegated approval workflows, which makes this relevant to IAM and fraud governance as well as SOC detection. Public sector and regulated supply chain teams are typical targets for this pattern, not an edge case.
Key questions
Q: How should security teams detect business email compromise without relying on payloads?
A: They should use behavioural signals such as sender history, thread context, request timing, and relationship baselines. Payload-less BEC often contains no malware, so content filters alone will miss it. The best controls compare the email against normal communication patterns and trigger response when the message departs from expected business behaviour.
Q: Why do traditional email security tools miss payload-less BEC attacks?
A: Traditional tools are built to detect malware, links, and known infrastructure. Payload-less BEC often contains none of those signals. The message may look clean while the fraud sits in the social engineering, so teams need behavioural analysis and business-process verification to catch it.
Q: How do security teams know whether BEC controls are actually working?
A: Look for fewer successful fraudulent approvals, faster reporting of suspicious requests, and lower dependence on email content alone for decision-making. If users still complete sensitive actions without secondary validation, the control environment is not blocking the real attack path.
Q: Who is accountable when a BEC request is sent through a trusted business workflow?
A: Accountability sits with the organisation that owns the approval path, not just the email gateway. Security, finance, procurement, and internal control owners all share responsibility for making sure payment changes, supplier updates, and contract actions require independent validation beyond the email thread.
Technical breakdown
Impersonation, lookalike domains, and reply-chain abuse
BEC campaigns often succeed by combining brand impersonation with a domain that is close enough to pass a superficial scan. A lookalike sender domain, a real organisation name in the display field, and a Reply-To mismatch can create a convincing but fraudulent conversation starter. The goal is not immediate compromise through code execution, but trust capture. Once the victim replies, the attacker can move the interaction into payment diversion, banking detail changes, or document collection. This is why message structure and relationship context matter more than link scanning alone.
Practical implication: tune email controls to compare display name, sending domain, and Reply-To identity before the message reaches procurement or finance users.
Why payload-less email bypasses static security controls
Payload-less BEC is designed to evade systems that depend on malware, suspicious links, or attachment detonation. If the message body is clean, the PDF is benign, and the domain is newly registered but not yet widely flagged, static rules can miss the threat entirely. Detection has to shift from content signatures to behaviour, reputation, and contextual anomalies. That includes sender rarity, communication history, domain age, and whether the requested action matches normal business processes. Without those signals, the attack remains invisible even when the fraud path is obvious in hindsight.
Practical implication: add behavioural and contextual detection layers to email security so clean-content fraud does not rely on signature-based gaps.
Conversation-based fraud and approval workflow misuse
The attacker’s objective in these campaigns is often to start a thread that gradually moves from a plausible request to a fraudulent payment or account-change instruction. That makes the attack a workflow abuse problem as much as an email problem. Once a trusted business conversation begins, downstream controls can be bypassed if payment verification, call-back procedures, or segregation of duties are weak. AI-generated content makes this even harder because tone and formatting no longer provide reliable suspicion cues. Security teams need to treat the conversation as the attack surface.
Practical implication: require out-of-band verification for procurement changes, supplier onboarding updates, and bank account modifications.
Threat narrative
Attacker objective: The attacker wants to convert a plausible procurement inquiry into a trusted business interaction that can be used to steal money or redirect payments.
- Entry occurs when attackers send an impersonation email from a lookalike domain that appears to originate from a government procurement contact.
- Credential access is replaced by trust capture, as the attacker uses Reply-To manipulation and clean content to steer the victim into a live conversation.
- Impact follows when the conversation pivots to fraudulent payment instructions, account changes, or other financial diversion attempts.
NHI Mgmt Group analysis
Payload-less BEC exposes a design false negative in email security: many controls are still built to detect malicious code, not fraudulent intent. When the message is the attack and there is no payload, organisations are left with a blind spot that signature-based tooling cannot close. Practitioners should treat this as a workflow assurance problem, not just an email filtering problem.
Conversation capture is the real control gap: once an attacker succeeds in moving a recipient into a reply chain, they have already bypassed the first line of defence. That means procurement, finance, and supplier-management processes need verification steps that are separate from email trust. The broader lesson is that identity assurance must extend to business communication paths, not stop at authentication.
AI-generated content is amplifying fraud realism faster than many controls can adapt: the article’s 40% figure shows how quickly adversaries are scaling the polish of impersonation. The important point is not that AI creates the fraud, but that it lowers the cost of making fraudulent requests look routine. Security programmes need stronger context scoring, not just better spam filtering.
Public sector supply chain workflows are a high-value social engineering surface: procurement and finance teams operate under repeated external contact, which makes them especially vulnerable to impersonation and urgency tactics. That combination creates fertile ground for social engineering even when technical compromise never occurs. Organisations should harden approval chains as carefully as they harden access controls.
Named concept: conversation-based fraud: this campaign demonstrates a fraud model where the objective is not initial click compromise but progression into a trusted thread that can be exploited for payment diversion. That distinction matters because the right controls are verification, segregation of duties, and relationship anomaly detection. Practitioners should reclassify email from a content channel to a business control plane.
What this signals
Conversation-based fraud will keep expanding because it sits outside many existing control models. Email filters, secure email gateways, and spam controls reduce obvious abuse, but they do not solve the trust problem created when a request itself becomes the exploit. The programme response should combine verification workflow design, identity-aware fraud controls, and detection of relationship anomalies across business communications.
Procurement and finance teams should expect more attacker investment in believable first contact. The combination of AI-generated content, lookalike domains, and carefully staged conversation starters will keep improving, which means static indicators will age quickly. Controls that inspect thread history and business process fit are more durable than controls that only inspect content.
Identity governance now reaches beyond accounts and logins into approval paths and delegated trust. That is the useful lesson for IAM and fraud teams alike: a user can be authenticated and still be manipulated through the process that user is trusted to operate. Organisations that treat approvals as part of their identity surface will be better positioned to absorb this class of fraud.
For practitioners
- Strengthen sender and reply-chain verification Correlate display name, sending domain, Reply-To header, and recent domain registration age before allowing procurement mail to reach users who can move money or approve suppliers.
- Add behavioural risk scoring for clean-content email Use relationship history, sender rarity, and organisational context to score messages that contain no malware or links but request sensitive business actions.
- Require out-of-band payment validation Mandate callback verification for bank detail changes, quote requests, and supplier onboarding updates using a known contact method outside the email thread.
- Train procurement and finance teams on conversation fraud Teach staff to treat a plausible first email as the start of an attack path, not evidence of legitimacy, especially when a reply is requested quickly.
Key takeaways
- Payload-less BEC succeeds by abusing trust and workflow, not by delivering malware or malicious links.
- Proofpoint cites 40% AI-generated content in attacks and 73% of reported cyber incidents in 2024 as evidence that social engineering is scaling.
- Organisations need context-aware email detection plus out-of-band verification for financial and supplier actions to reduce exposure.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
MITRE ATT&CK address the attack and risk surface, while NIST CSF 2.0, NIST SP 800-53 Rev 5 and CIS Controls v8 set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | PR.AT-1 | User awareness and role-specific training matter because the attack relies on social engineering. |
| NIST SP 800-53 Rev 5 | AU-6 | Review and analysis of email and workflow anomalies support detection of impersonation abuse. |
| MITRE ATT&CK | TA0001 , Initial Access; TA0006 , Credential Access | The attack uses social engineering to gain initial trust and then capture business workflow access. |
| CIS Controls v8 | CIS-14 , Security Awareness and Skills Training | Role-based awareness is central to stopping procurement-focused impersonation scams. |
Deliver targeted training for finance and procurement teams on approval-path fraud and callback checks.
Key terms
- Business email compromise: A form of social engineering where an attacker impersonates a trusted person or domain to manipulate payment, change banking details, or extract sensitive information. It often succeeds without malware because the attacker targets process trust and human judgement instead of technical controls.
- Payload-less threat: An email attack that does not rely on malware, malicious links, or obvious attachments. Instead, it uses wording, timing, impersonation, and context to trigger a human action such as credential entry, payment approval, or disclosure of sensitive information.
- Reply-To Manipulation: Reply-To manipulation occurs when an attacker sets the reply address to a domain they control, even if the visible sender details appear legitimate. This tactic redirects the conversation away from the trusted organisation and into an attacker-managed thread, enabling fraud after the initial message is delivered.
- Conversation-Based Fraud: Conversation-based fraud is a scam pattern where the attacker’s goal is to begin a believable thread and gradually steer the victim toward a fraudulent action. It is effective because the risk emerges after trust is established, not at the first message, which makes simple content filters insufficient.
What's in the full article
Proofpoint's full blog covers the operational detail this post intentionally leaves for the source:
- The exact header and domain signals used to score the lookalike message as BEC, including the From and Reply-To mismatch.
- The relationship-graph and threat-intelligence logic behind the block decision, which shows how contextual email analysis works in practice.
- The content-analysis indicators tied to the agency’s PDF tagging behaviour, useful for teams tuning deeper inspection.
- The campaign history and actor tracking details that show why prior intelligence mattered to detection.
Deepen your knowledge
NHI Foundation Level course, the industry's only accredited NHI security programme, covers NHI governance, identity lifecycle, secrets management, and workload identity. It helps practitioners connect identity controls to the operational reality of access, approval, and trust.
Published by the NHIMG editorial team on July 14, 2026.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org