India’s securities regulator has warned that a sophisticated cybercrime campaign is targeting corporations by combining AI-powered deepfake impersonation with Windows-specific malware that hijacks WhatsApp accounts to authorize fraudulent fund transfers. The advisory, issued by the Securities and Exchange Board of India (SEBI) on July 17, describes a two-pronged ‘Boss Scam’ that exploits the trust employees place in executive communication and the pervasiveness of messaging apps on corporate endpoints.
Acting on intelligence from the Indian Cyber Crime Coordination Centre (I4C), SEBI urged listed companies and regulated entities to immediately strengthen internal verification processes. The warning is relevant far beyond India’s borders: it’s a blueprint for how attackers are weaponizing everyday business tools — Microsoft Teams, WhatsApp, email, and even cloud-hosted contact lists — to bypass traditional defenses.
The ZIP File Trap That Opens the Door to Your Company’s Finances
One attack path begins without a single phone call or urgent email. Instead, an employee receives a compressed (.zip) file, often through a messaging platform. Inside, according to SEBI, are two files: an executable (.exe) and a dynamic link library (.dll). Once extracted and run on a Windows machine, this payload acts as a Trojan dropper, silently installing malware capable of stealing active WhatsApp Web session tokens.
From there, the attacker effectively becomes that employee on WhatsApp. They can message colleagues using an established contact identity, often during business hours when such requests seem routine. The advisory notes that in more advanced cases, criminals with full device control can edit the victim’s contact list, saving a fraudster-controlled number under the name of the CEO or Managing Director. What appears to be an internal message from a known boss is actually a command from a compromised account, sent through a hijacked session.
This is what makes the scam so disorienting. The payment instruction doesn’t arrive from a strange new email domain or a suspicious foreign phone number. It arrives from Tom in Finance, inside an existing chat thread, perhaps referencing a recent conversation. The only clue that something is wrong — a freshly logged-in WhatsApp Web session on a different machine — is invisible to the recipient.
SEBI did not specify a malware family, hash, or Windows build, relying instead on behavioral indicators: ZIP-delivered executables, unexpected DLL files, anomalous finance-endpoint activity, new WhatsApp Web sessions, and payment requests that attempt to bypass a call-back process. This lack of granular IoCs means defenders must rely on configuration hardening, not signature-based blocking.
The Deepfake Layer: When the Boss Sounds Real
The second version of the scam is even more psychologically coercive. Fraudsters directly impersonate a senior executive — a CEO, managing director, or CFO — using AI-cloned voice or deepfake video. The request is urgent and confidential, sometimes invoking unpublished price-sensitive information (UPSI) to scare the employee into secrecy. SEBI said these deepfake attacks often arrive through WhatsApp, Microsoft Teams, or a fake social media group, precisely the channels where executives now routinely conduct business.
A finance officer who might pause at a suspicious email may not question a video call where the CEO’s face and voice are realistically mimicked. And because the attacker frames the request as too sensitive even for normal compliance checks, the employee is coerced into bypassing the very process designed to stop such fraud.
Traditional deepfake detection tools can help, but they are not a complete safety net. A short, agitated call where lag or “bad reception” masks visual artifacts can slip through. More critically, a real CEO can also make a bad request through an unapproved channel. The core defense, therefore, is not determining whether the person on the line is real; it’s ensuring that no single chat, call, or email can authorize a high-risk payment in isolation.
Why This Threat Is Potent for Windows Users
For the ZIP-based attack, Windows endpoints are the primary target. The malware is designed to run on that platform, and the social engineering often involves tricking users into bypassing built-in protections. Microsoft’s SmartScreen, for example, warns when a downloaded file is potentially unsafe, but employees conditioned to click through “Windows protected your PC” prompts can still launch the attack. Attackers know that warning fatigue is real.
Enterprises that rely on Windows Defender for Endpoint have a powerful, often underused defense: Attack Surface Reduction (ASR) rules. The rule “Block executable content from email client and webmail” is particularly relevant, as it can stop .exe, .dll, and archive files like .zip that arrive through email or webmail attachments. Microsoft’s documentation notes that this rule covers mail clients and web-based email, making it an effective choke point for the delivery method SEBI described.
However, ASR rules must be actively enforced. Many organizations initially deploy them in audit mode, which logs events without blocking. That’s useful for tuning but leaves the door open until rules are switched to block mode. A focused security review right now should verify that key ASR rules are actively preventing suspicious executable and archive delivery, especially to finance and executive systems.
How We Got Here: The Evolving Face of Business Email Compromise
The Boss Scam is an inevitable evolution of Business Email Compromise (BEC), which has cost organizations billions globally. In classic BEC, an email from a spoofed or compromised executive account ordered a payment. Defenses eventually caught up: DMARC policies, secure email gateways, and user training made those emails easier to spot. Attackers adapted by moving to messaging platforms where identity verification is weaker — WhatsApp, Teams, Telegram — and by adding synthetic media that creates a terrifying sense of authenticity.
Three trends converged to make this moment possible. First, the pandemic-era shift to remote work normalized using multiple messaging apps for quick decisions, blurring the line between formal and informal corporate communication. Second, deepfake technology reached a level of quality and accessibility where convincing voice clones can be created from a few seconds of public speech. Third, WhatsApp’s Web session hijacking has become a favorite technique because it sidesteps two-factor authentication: once the session token is stolen, the attacker doesn’t need a login code.
SEBI’s advisory is not the first warning about deepfake payment fraud, but it is one of the most detailed public descriptions of how a Windows malware compromise enables the entire chain. The regulator’s call to action reflects the real urgency — these scams are already resulting in multimillion-dollar losses.
What Every Windows User and Admin Should Do Right Now
A defense against the Boss Scam must address both the human and technical layers. Here are the immediate steps, prioritized by audience:
For IT and Security Administrators:
- Enforce Attack Surface Reduction rules. Verify that “Block executable content from email client and webmail” is in block mode, not just audit. Test with a small group first, then roll out broadly. Microsoft provides detailed guidance on deploying ASR rules via Intune or Group Policy.
- Audit and sign out unused WhatsApp Web sessions. Check endpoints used by finance, accounting, and executive staff. An active session that the user forgot about is a target. Use endpoint management tools to enforce periodic sign-out or leverage Microsoft Defender for Cloud Apps to detect anomalous SaaS activity.
- Keep SmartScreen and cloud-delivered protection enabled. Train users not to override warnings casually. Consider using Windows Defender Application Control (WDAC) to limit executable origins, though this requires careful planning.
- Lock down contact list modifications. While fewer Windows endpoints store the local contact list for WhatsApp Web, any device with write access to the user’s contacts (e.g., a phone synced with the PC) could be altered. Enforce mobile device management policies that restrict changes to contacts without validation.
- Review mail flow and attachment rules. Block .zip files containing executables or DLLs at the email gateway, or quarantine them. For unmanaged file transfers, use a secure download service that scans for threats.
For Finance and Accounting Teams:
- Never authorize a payment based solely on a digital message. This includes WhatsApp, Teams, email, and text. SEBI’s top recommendation: independently call the requester using a known number from the corporate directory. Do not use the number provided in the message.
- Establish a two-person approval for high-risk transactions. A second approver, preferably from a different department, should confirm any payment involving a new beneficiary, a changed account, or an “urgent and confidential” label. This control protects against both external fraud and internal errors.
- Treat “confidential” payment requests with increased skepticism. If the request claims to involve UPSI or forbids normal inquiry, that’s a red flag, not a reason to comply faster. A legitimate insider will understand verification flows.
For All Windows Users:
- Don’t open unexpected ZIP files, especially from messaging apps. If you didn’t request a file, verify through a separate channel before opening it. Even if the sender appears to be a colleague, their account could be hijacked.
- Log out of WhatsApp Web when you’re done. That browser window you minimized two weeks ago might be a liability. Regularly check linked devices in WhatsApp mobile app settings.
- Report suspicious calls or messages immediately. Speed matters. The first few hours after a fraudulent transfer are critical for fund recovery.
The Outlook: More AI-Powered Intrusions Ahead
SEBI’s advisory is a signal that regulators see AI-enabled fraud as a systemic risk to financial markets. We can expect similar warnings from other authorities, along with tighter compliance requirements around payment verification and executive communication.
For Microsoft, this scam highlights a growing need: endpoint protections that not only block malware but also detect abnormal user behavior coherently across platforms. Could Defender flag a sudden WhatsApp Web login from an unusual IP, even on an otherwise trusted device? Could it correlate a Teams deepfake call with a subsequent financial app transaction? Those cross-signal capabilities aren’t science fiction, but they’re not yet standard in most enterprise security stacks.
In the meantime, the most effective defense is procedural: a rule that says no amount of CEO pressure can circumvent independent verification. That policy protects companies as effectively today as it did before deepfakes, and it will remain the single hardest barrier for any scammer — AI-assisted or not — to break.