Quick Answer: Emails from system@sent-via.netsuite.com come from legitimate Oracle NetSuite email infrastructure, but threat actors are abusing the platform to send invoice-themed phishing and spam. Because these messages can pass SPF, DKIM, and DMARC, they often slip past email filters. Treat any unexpected invoice from this sender as suspicious until verified through a trusted channel.
What Did the SOC Observe?
ProArch SOC observed multiple invoice-related emails delivered from the sender address system@sent-via.netsuite.com across monitored environments. While the sender display names varied between messages, the sender email address remained consistent.
This activity is worth monitoring because similar invoice-themed campaigns have been associated with spam and phishing attempts that leverage trusted business platforms to increase legitimacy.
What Is Happening in These NetSuite Invoice Emails?
The following characteristics were identified during the investigation:
- Multiple emails were received with different sender display names.
- All messages originated from the sender address: system@sent-via.netsuite.com
- All observed emails contained invoice-related attachments.
- The emails were themed around invoices, billing notifications, or payment requests to create fake sense of urgency.
- The sender address is associated with legitimate NetSuite email delivery services; however, threat actors, in the past, have abused trusted business platforms to distribute malicious or unwanted content.
What Indicators Should Security Teams Look For?
- Sender Address: system@sent-via.netsuite.com
- Theme: Invoice / Billing Notifications
- Attachment Type: Invoice-related attachments
- Behavior: Varying display names with a consistent sender address
Why Do Invoice-Themed Phishing Emails Matter?
Invoice-themed phishing and spam campaigns continue to be effective because they target common business processes and encourage recipients to open attachments or review payment information.
If users interact with malicious attachments or fraudulent invoices, organizations may face risks including malware infections, credential theft, financial fraud, and unauthorized access to corporate resources. The use of trusted business platforms can also reduce user suspicion and increase the likelihood of successful compromise.
How Should Organizations Respond to Suspicious Invoice Emails?
- Verify unexpected invoices with the sender through a trusted communication channel before opening attachments.
- Train employees, particularly finance and accounts payable teams, to identify suspicious invoice-related emails.
- Review email security controls to detect and flag suspicious invoice-themed messages.
- Scan all email attachments using approved security tools before opening.
- Monitor for unusual user activity following interaction with invoice-related emails.
- Encourage users to report suspicious invoice emails to the Security Operations Center for review.
How ProArch Helps Strengthen Detection and Response
Organizations need continuous monitoring capabilities to such email-based phishing and spam campaigns. With managed cybersecurity services and 24/7 threat detection and response, ProArch helps:
- Monitor and respond across endpoints, identity, cloud, and AI workloads with Microsoft Security tools.
- Use Microsoft Defender XDR and Microsoft Sentinel for cost-effective protection.
- Apply custom spam detection rules across cloud and hybrid environments to reduce inbox exposure.
If you’re seeing similar invoice-themed emails, ProArch’s cybersecurity experts can help assess your exposure and strengthen detection readiness.