Scripted Sparrow Leverages Automation to Efficiently Generate and Dispatch Attack Messages

Cybercriminals behind the Scripted Sparrow collective have scaled their Business Email Compromise (BEC) operations across three continents, using automation and deception to target finance departments worldwide.

Researchers from Fortra Intelligence and Research Experts (FIRE) first observed the group in June 2024, with activity peaking in September 2025. In total, Fortra’s Suspicious Email Analysis (SEA) team linked 496 unique engagements to the threat actors.

While this may seem modest, analysts estimate these incidents represent just a fraction of the group’s actual activity.

Using data correlations from Fortra’s Cloud Email Protection (CEP) service, the researchers estimated that Scripted Sparrow may have sent millions of emails each month, with September 2025 attacks alone exceeding 6.6 million messages.

The group’s primary technique involves impersonating executive coaching or leadership training consultancies.

They target Accounts Payable staff within victim organizations using spoofed reply-chain emails that appear to involve company executives. Early campaigns included two PDF attachments, an invoice with ACH or wire transfer instructions, and a W-9 form.

More recent variants omit attachments entirely, tricking recipients into replying to the “forgotten invoice,” allowing attackers to expose mule accounts only after engagement.

Infrastructure and Tactics

Scripted Sparrow relies heavily on automation and custom domain registrations to scale its operations.

The group uses both free webmail accounts and domains registered primarily through NameSilo and Dynadot.

Fortra identified 119 malicious domains, 245 email addresses, and 256 bank accounts associated with fraudulent activity. Around 76% of their PDF invoices were generated using the Skia rendering engine, indicating script-based automation for document creation.

For communication, the actors also appear to use Telegram, as evidenced by TelegramBot user-agent strings identified in some server logs.

This behavior suggests that links shared in Telegram chats triggered Telegram’s preview crawler, confirming the platform’s use.

Through advanced browser fingerprinting and geolocation analysis, Fortra traced Scripted Sparrow members to Nigeria, South Africa, Türkiye, Canada, and the United States.

The group often attempts to mask its locations using Remote Desktop Protocol and location-spoofing tools, though inconsistencies in its data suggest limited technical sophistication.

Researchers observed a shift in the gang’s methods from generic “Dear Customer” messages to personalized, multilingual campaigns.

A recent attack written in Swedish, requesting a smaller payment of €9,905, signals potential testing of new regional markets.

Fortra warns that Scripted Sparrow may soon integrate generative AI into its schemes to enhance message authenticity and scaling.

Organizations are urged to verify vendor invoices through official channels and to remain cautious about reply-chain emails that may be spoofed to mimic internal approval.

Find this Story Interesting! Follow us on Google News , LinkedIn and X to Get More Instant Updates

The post Scripted Sparrow Leverages Automation to Efficiently Generate and Dispatch Attack Messages appeared first on Cyber Security News.