Skip to content

Business Email Compromise Attacks – are you aware? 


Published:

Our dedicated SamurAI Incident Response Team can assist your organization in immediately taking control of a compromised situation, minimizing damage, and safeguarding critical data, systems, and operations. In this blog post, we’re excited to share the team’s latest insights on BEC attacks and a crucial Sigma rule.    

What began as an inquiry from one of our SamurAI Managed Detection and Response (MDR) clients regarding unusual activity on a user’s account, led to the discovery of an attacker lurking within the user’s email inbox. The threat actor who had been there for weeks, had created forwarding rules for specific keywords and deleted important emails before the account holder had the chance to read them. Once our SamurAI Incident Response team were engaged in the investigation, it became evident that the relevant audit logs were not sent to our MDR-platform, and thus the activity had gone undetected.  

What is BEC? 

This incident falls under the category commonly known as Business Email Compromise (BEC). BEC is an umbrella term for sophisticated scams, phishing, and other email-based attacks that target businesses and individuals, often resulting in unauthorized actions such as funds transfers. 

Recent phishing trends and their impact 

In recent years, there has been a notable increase in email attacks, primarily driven by phishing campaigns. The emergence of Phishing as a Service (PhaaS) platforms has provided both experienced and novice hackers with access to sophisticated toolkits, some of which can bypass two-factor authentication (2FA) or prevent automated analysis, enabling them to conduct unlimited and sophisticated phishing campaigns aimed at businesses. The ultimate goal is to deceive users and harvest their credentials for sale on criminal marketplaces. 

Frequently observed TTPs 

After a successful account compromise, we have observed threat actors moving in and establishing persistence by quickly adding a new MFA device to the compromised account, creating forwarding rules in the user’s mailbox, or implementing rules that automatically delete messages with specific keywords or move them to folders rarely checked by the user, such as the RSS Subscription and Conversation History folders. 

How to detect successful phishing attacks 

Inspired by research from Expel, we have crafted detection rules to quickly identify threat actor behaviour. The detection rule we are publicly releasing will identify when a threat actor creates unusual forwarding rules to external addresses, moves emails to rarely opened folders, or tries to hide within a compromised account. 

What do I need to do? 

For users employing Defender XDR, Microsoft Defender for Identity Protection, and other Microsoft security products, the SamurAI Managed Detection and Response (MDR) service offers seamless integration via the Microsoft Graph Security API. This integration allows for the ingestion of all activity logs, which are then analyzed against our detection rules to identify malicious activities promptly. If you don’t, you can download and apply our rule to your internal tooling via the link below. 

You find the link to the Sigma rule here.

Are you unsure if your business is safe and protected from cybercriminals? Let’s talk. 

By taking proactive measures and remaining vigilant, we can collectively defend against cyber threats and safeguard sensitive data from exploitation. Let’s prioritize cybersecurity and work together to ensure a safer digital environment for all. Fill in the form and we’ll contact you.