So what is a supply chain cyberattack? It’s any malicious attempt to compromise an organization by targeting its vendors, partners, or third-party services.

Supply chain phishing, which experts also call business email compromise (BEC) phishing or vendor phishing, occurs when attackers compromise a legitimate third-party vendor, partner, or service provider in order to target that vendor’s customers or partners with phishing attacks. These types of attacks are coming from expected sources, like email addresses you recognize, and about things that look like normal business.

Take this, for instance: You’ve trained employees to watch for messages from suspicious email addresses asking them to wire money, but with supply chain phishing, legitimate emails from a vendor’s employee are sending the messages.

The details matter here. Your vendors have the keys to your front door. Compromise one vendor, and attackers gain access to dozens or hundreds of targets, all cloaked in legitimate communication that bypasses security awareness training.

To understand how it works, you need to know the complete playbook attackers use:

Stage 1: Vendor compromise 

Attackers first compromise an actual vendor or service provider, typically via phishing, stealing credentials, or exploiting a vulnerability. They’ll gain access to the vendor’s email system, customer list, or whatever communication channel they have. In some cases, attackers compromise the vendor’s infrastructure and send poisoned updates or malicious links directly through official channels.

Stage 2: Reconnaissance 

After gaining access, the attackers will use the stolen account to analyze the vendor’s communication style. Attackers study vendor emails, and the more they learn, the better they can craft phishing messages that look 100% legitimate.

Stage 3: The attack 

Armed with both access and knowledge, attackers can now get to work. Tactics include:

• Invoice fraud: Sending fake invoices with modified bank account details for payment.

• Credential harvesting: Distributing links to fake login pages that mimic the vendor's services.

• Malware delivery: Pushing "updates" or "patches" that actually contain ransomware or spyware.

• BEC: Impersonating vendor executives to request urgent wire transfers or sensitive data.

Attackers often combine several phishing types in a single campaign. For example, attackers may use spear phishing to target key vendor contacts, whaling to impersonate executives in payment requests, smishing (SMS phishing) to reach field vendors via text, and BEC to send fake invoices from legit vendor domains. 

Supply chain phishing succeeds because of one word: Trust. Existing vendor relationships create blind spots that employees often overlook.

Your finance team doesn't scrutinize invoices from accounting vendors the way they would suspicious emails from strangers. Your IT team installs “urgent updates” without question.

Attackers weaponize this blind trust mercilessly. They know that once they breach one vendor, they inherit the relationships and credibility that vendor has built with all of their customers. Email filters allow trusted messages through, and standard security training rarely prepares employees for threats from familiar sources.

Here are some recent real-world examples of broader supply chain attacks:

• Kaseya (VSA ransomware attack): Attackers exploited bugs in the remote monitoring tool from this  MSP software provider in order to deploy the REvil ransomware. The ransomware spread to around 30 MSPs and impacted hundreds of their customers’ environments. Attackers demanded a total of $70 million USD in exchange for a public decryptor. 

• Google and Facebook (invoice fraud at scale): From 2013 to 2015, Evaldas Rimasauskas used a mix of phishing and invoice fraud to impersonate an employee of Quanta Computer and sent fake invoices to Google and Facebook by email. Over two years, they paid him over $120 million before authorities arrested and charged him with fraud, money laundering, and identity theft.

• The trusted vendor credential harvest: Cyber attackers set up bogus websites by modifying the domain names of well-known SaaS services, leading individuals who follow these links to fraudulent authentication pages. During the third quarter of 2024, attackers impersonated Microsoft most frequently, with over 60% of all phishing involving spoofed branding. Apple and Google ranked second and third with 12% and 7%. 

• The contractor connection: Attackers also targeted HR and payroll systems like Workday, using employee info to craft highly convincing spear phishing through emails and phone calls, using specific projects, managers, and other correct information to give legitimacy to the calls. 

Safeguarding your organization from supply chain cyberattacks means you need to follow a comprehensive strategy:

Implement strict verification protocols 

Verify vendor requests via known channels and require dual approval for payment changes.

Deploy identity threat detection and response 

Traditional security solutions struggle to identify supply chain phishing because attackers send emails from seemingly trusted, compromised addresses. This makes Managed ITDR essential. Our solution detects abnormal authentication activity, lateral movement to sensitive systems, and other abnormal behavior that indicates attackers are leveraging a compromised vendor account to attack your organization.

Educate employees about supply chain risks 

A key part of a strong security awareness program is effective security awareness training. Make sure employees know that just because an email appears to be from a known vendor, it doesn't mean it's safe. Train them to identify the telltale signs of phishing, even when the sender is familiar: Abnormal urgency or tone, unexpected attachments or macros, and links or requests that fall outside of typical processes. 

Monitor for vendor compromises 

Monitor your vendors' security incidents. Track vendor security alerts and maintain a list of third-party dependencies to assess breach impacts quickly. 

Segment access and apply least privilege 

Restrict vendors’ access and actions within your environment. Just because a vendor has a need to know some data or use some application doesn't mean they should have access to everything. Segment your network, implement least-privilege access controls, and audit vendor access levels on a regular basis.

You can't stop working with vendors, but you can stop giving attackers easy wins.

Huntress offers Managed ITDR, Managed SAT, and Managed SIEM capabilities that work together to secure your organization from supply chain compromise. Our platform detects anomalous vendor access and trains your team to spot even trusted-source threats.

Take control of your supply chain security. Try a Huntress demo and experience how our platform detects and stops threats before they reach you.