Cyber Incident Victim: Datrix
Date:
Nov 2019
Location:
United Kingdom
Summary
A cloud communications company experienced a phishing attack after an employee inadvertently clicked a malicious link from a compromised supplier, enabling attackers to access internal emails. The perpetrators targeted finance personnel with fraudulent payment requests via a spoofed domain resembling the legitimate corporate address. Approximately 300 customers' contact details were exposed through compromised correspondence, though rapid containment prevented thousands of additional malicious emails. The organization promptly disabled the affected account, notified impacted parties to delete suspicious messages containing "new project" in subject lines, and conducted direct outreach to verify awareness. The incident highlighted attackers' exploitation of a single compromised account to initiate financial fraud attempts and unauthorized communications.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On November 28, 2019, London-based cloud communications firm Datrix experienced a phishing attack after an employee inadvertently clicked a malicious link while reviewing emails on a mobile device. The link originated from a compromised email account belonging to one of Datrix’s suppliers. This action granted attackers access to the employee’s inbox, enabling them to read internal emails and target the finance department with fraudulent payment requests. The attackers impersonated Datrix using a deceptive domain (datrlx.co.uk, substituting a lowercase 'l' for 'i') to send fake invoices designed to divert company funds. Approximately 300 customers, whose contact details were exposed through the compromised email account, also received phishing emails from the attackers during the breach.
Datrix detected the intrusion rapidly and disabled the compromised email account within 15 minutes, preventing the transmission of several thousand additional fraudulent emails. The company notified affected customers via email, instructing them to permanently delete any suspicious messages with “new project” in the subject line and to remain vigilant for further fraudulent activity. Datrix representatives followed up with direct phone calls to all recipients of the phishing emails to reinforce the warning. Company chairman Rob Wirszycz characterized the attack as “sophisticated” and “factory-like,” acknowledging the attackers’ operational efficiency while commending his team’s swift containment response. The incident exposed limited customer contact details but did not result in confirmed financial losses or broader system compromises beyond the initial email account breach.