Introducing the MITRE ATT&CK Framework

The MITRE ATT&CK Framework is a globally recognised knowledge base of adversary tactics and techniques based on real-world observations. Originally developed to help cybersecurity professionals better detect and respond to sophisticated threats, it's now become a core reference in security operations and incident response.

MITRE ATT&CK breaks down the anatomy of an attack into a series of stages (called "tactics") and the methods used to accomplish each stage (called "techniques"). From phishing emails to credential abuse, ATT&CK helps organisations map their vulnerabilities and build a layered defence against real adversarial behaviours.

While often associated with advanced persistent threats or malware attacks, MITRE ATT&CK is equally valuable in understanding low-tech, high-impact fraud schemes like invoice redirection.

What is Invoice Redirection?

Invoice redirection fraud, sometimes known as Business Email Compromise (BEC), is when an attacker tricks a business into sending a legitimate payment to the wrong bank account. These scams don’t rely on ransomware or malicious macros. Instead, they rely on well-crafted pretexts—often posing as trusted vendors, contractors, or internal executives.

In the Irish public sector and nonprofit space, these attacks have led to significant losses:

• Westmeath County Council was defrauded of €515,000 in 2024 after updating supplier bank details based on a forged email.

• Meath County Council narrowly avoided losing €4.3 million when a suspicious transfer to a Hong Kong account was flagged and frozen.

• Dublin Zoo lost over €500,000 in 2017 after wiring payments to an attacker-controlled account masquerading as a building contractor.

Each of these attacks had one thing in common: they required a human to be convinced. Not to click.

But to do.

Social Engineering Meets Operational Reality

Unlike traditional cyberattacks that require someone to download malware, invoice redirect scams thrive on social manipulation. The attacker’s goal is to craft a believable narrative:

This is where pretexting plays a key role. Attackers invent a backstory (a pretext) that sounds familiar and plausible. They might impersonate someone from within the organisation or a trusted vendor, referencing ongoing projects or invoices to make the deception airtight.

These heists are psychological. The attacker isn’t breaching a firewall—they’re breaching protocol by relying on urgency, routine, and misplaced trust.

MITRE ATT&CK Mapping for Invoice Redirection

Even though there's no malware involved, these scams map cleanly onto the MITRE ATT&CK framework. Here’s how:

This mapping shows that even "low-tech" scams are operationally complex and should be treated as cyber incidents, not just financial mistakes.

» View the MITRE ATT&CK in full «

Why MITRE Helps

Using MITRE to understand these attacks offers several advantages:

• Shared Vocabulary: Security and finance teams can speak the same language when describing threats.

• Better Detection: Email rules and account monitoring can be aligned to known ATT&CK techniques.

• Smarter Training: Awareness programs can focus on specific tactics like pretexting and urgency triggers.

• Improved Response: Incident handling teams can investigate using a structured framework.

Final Thoughts

As cyberattacks become more psychologically driven, understanding attacker behaviour is just as important as defending your network perimeter. Invoice redirection scams remind us that humans are the new attack surface.

And with tools like the MITRE ATT&CK framework, we now have a way to describe, defend against, and educate people on these very human-centric threats.

Don't just protect your endpoints. Protect your inbox, your workflows, and most of all—your people.

🔥 Tooling Roundup

Some interesting Tools to experiment and play with:

• Pretext Toolkit

  • What it does: A mind-mapping tool and prompt generator for building believable phishing and pretexting scenarios.

  • Why it’s useful: Great for social engineering tabletop exercises or awareness training tied to real-world business scenarios.

  • GitHub: https://github.com/mrd0x/Pretext

•  GoPhish

  • What it does: Open-source phishing simulation framework.

  • Why it’s useful: Send fake invoice-style emails to staff to test and train their resistance to pretext-driven attacks.

  • Website: https://getgophish.com

Did You Know? In October 2010, An Garda Síochána’s Bureau of Fraud Investigation (CBFI) revealed a criminal network targeting commercial and charity bank accounts across Ireland. Using stolen cheque books lifted from the postal system in both Ireland and the UK, the gang crafted forged documents instructing banks to transfer large sums abroad—from legitimate business and charity accounts. Over just five months, victims lost a staggering €160,000, and police foiled attempts to steal a further €1.3 million. Raids in Drogheda and Galway uncovered forged cheques, stolen cheque books, and even equipment used for manufacturing counterfeit credit cards

Till next time,

John