Business Email Compromise is an email phishing attack that specifically targets businesses and organizations to steal money, or account credentials. These attacks can be difficult to prevent social engineering techniques such as phishing and intimidation to manipulate users.

Threat actors often prepare for BEC attacks by first reconnoitring their targets and uncovering publicly available data, such as employee contact information, to build a profile about the victim organization.

There are five main types of BEC scams:

  1. CEO Fraud – In this scenario, the attacker will impersonate the the company or any executive and send emails to employees, asking them to send money or expose information about a private enterprise.

2. Compromised Account – An employee’s email account has been compromised and i used to send scams to other organizations from the compromised account.

3. Impersonate Lawyer/Tax Agent- The cybercriminal will impersonate a lawyer or other representatives of organizations such as the IRS to scam employees.

4. Data theft – Scammers may target HR employees or those with access to employee information to obtain sensitive or private data about other employees and executives that can use for future attacks.

5.Fake Invoice Scheme – The attacker will spoof an email from an organization or vendor the victim works with. This email may contain an invoice requesting payment to a specific account controlled by the attackers.

1 Phishing
Example of BEC utilizing invoice tactics to users

Phishing attacks continue to be one of the most prevalent forms of organizations targeting cybercrime today. A specific form of phishing known as Business Email Compromise, or BEC, has been particularly lucrative for cybercriminals. According to the FBI’s recent IC3 report, Business Email Compromise caused more than $1.8 billion in losses to businesses in 2020. Exceeding losses attributed to other, higher-profile forms of cybercrime such as ransomware ($29 million). of dollars).

As organizations adapt to the rise of remote working and collaboration, cybercriminals evolve with them and BEC attacks grow in sophistication and frequency.

Analysing Business Email settlement

There are several methods that cybercriminals use to convince users of an organization that their email is genuine. Including email spoofing, email spoofing, and account takeover of messaging. Being able to identify these tactics will be key to protecting your organization from business email compromise.

Email spoofing is a common and simple tactic where the attacker will set up an email account that looks alike a real work email account. The attacker’s email address or display name will look almost identical to a real sender or account. As they may use spelling tricks or special characters from different languages ​​to make the email convincing email.

This form of business email relies on building trust with the loser rather than using spiteful files and links to perform fraudulent wire transfers or harvest sensitive information.

hackers spoofing the domain of their false emails to look exactly like the target organization’s domain. With authentication standards attackers can spoof their emails to appear to come from a legitimate domain.

3 Spoof Email

Account Takeover

Email account takeover is a more advanced form of corporate email compromise that involves the hacker gaining access to a corporate email account. The hacker can obtain credentials in several ways, such as phishing or using usernames/passwords exposed in previous breaches. Using a compromised account as an anchor, the attacker can observe the victim’s organization by scanning the account’s contacts and conversations. The attacker is also likely to set up forwarding rules to his outcall to collect information from the victim’s organization.

The hacker can now monitor new emails from other parties and suppliers and could be interested in looking for messages related to sensitive information and financial transactions. Once attackers identify something of interest, they can join an ongoing conversation and use other business email compromise tactics, such as spoofing and phone theft. emails, to manipulate the unsuspecting victim into performing a specific action, such as transferring money.

One possible phishing tactic used by attackers is to steal a copy of a real bill and only change banking information. Also leaving everything else the same, and send this fake bill to the victim. The recipient may not be able to determine if the invoice is forged and will send the funds to the cybercriminal instead of the legitimate party.

The compromised email account may contain any of the following indicators in Microsoft Exchange:

1.Unwanted profile changes, such as changes to user name and contact information

2.Inbox rules that the user has not created, such as a rule that automatically forwards emails to folders such as Notes or RSS

3.Others get emails from the compromised account except those respective emails showing in the Sent folder

4.The user’s mailbox has been blocked from sending emails.

If you see examples of BECs, such as users receiving spoofed emails with fake names and domains or creating strange forwarding or inbox rules. Therefor your organization may be the target of a data compromise attack. professional emails. Investigating these suspicious events will be essential to understanding the extent of this incident and beginning the remediation process.

Identifying Email Compromise in O365

After identifying the first signs of work email compromise, it is recommended to investigate further by analysing logs from the Exchange admin centre as well as Microsoft 365 Defender and Azure AD.

We suggest that you use the Microsoft 365 Defender Portal unified audit logs to analyse all suspicious account activity from the start of the suspicious activity to the current date. You can also use various reports to help with this investigation. For example ; the Compromised Users, Exchange Transport Rule, and Phishing Detection reports.

Your initial investigation should include audit trail analysis to identify all potential users who interacted with the suspicious email or compromised account. In this list of users, look for other indicators of compromise (IOC). If a suspected malicious attachment has been opened on the user’s endpoint. You may need to check the endpoint’s additional log. As well as any additional AV or EDR solutions it may have.

When looking at emails with potentially spoofed domains, you can check the header of those emails to recognize information such as the true origin of the sender. You can achieve this by opening the message in Outlook and going to File > Info > Properties.

Be assured to look for the following fields for useful data:

1.Common values: Common values ​​include source address, subject, message ID, destination, and return path address. For example, confirm if the sender’s email address matches the display name.

2.Source IP – The source IP address can be used to identify the IP address recognized in previous incident block lists and determine geolocation.

3.Spam Confidence Level (SCL): SCL determines the likelihood that the message is spam.

4.confirmation Results – confirmation results for SPF and DKIM authentication methods.

Business Email Engagement Research with Varonis

There are several pre-defined alerts that you can see in the Varonis Alerts Dashboard or via email that may indicate that a business email compromise attack is in progress. These include alerts related to a user receiving an email containing a suspicious malicious attachment. Moreover sending an unusual number of emails to an individual recipient outside the company.

With Varonis, in addition to investigating alerts, you can also gather more incident information by investigating suspicious users and their activity on 0365 and local resources.

To begin your investigation with Varonis, you should begin by reviewing specific Exchange On-Prem or Online logs.

select “Analytics” on the dashboard, then open a new “Events” tab. select “Exchange” from the Servers drop-down menu.

5 Server Selection

Example of varonis dashboard

Configure the time range before you saw any IOCs, such as suspicious emails or user activity. Make sure to add the “Event Description” column for additional details by typing the event description in the newly opened window.

For example if you want to have all the users that you interact with a specific electronic. you can use the bus function to bus all the events related to the line of the specific subject line.

Click “Resource Event” and then enter the subject in the “Message Subject” field. Keep an ongoing list of related IP addresses, user numbers and other information.

E-mail Configuration

Now you have a list of users who interacted with suspicious emails or attachments, you can modify your survey to view all other Exchange activity from those users. Add the specific user or multiple users to your search using the “Names” hyperlink “Event by User” on the left side. Then select the users you wish to investigate and click “Apply”. Be sure to clear all queries in the search bar before running the search to find all related Exchange activity.

7 WebUI Names

Again using the “Types” hyperlink on the left hand side, you can now see all the different types of events associated with the users under investigation. Some types of events to be aware of include:

1.Moved/Deleted Post: An attacker can hide posts by deleting them or moving them to your RSS or Trash folders.

2.Created forwarding rules: These rules can be used to automatically move messages out of the organization.

3.Messages sent as or on behalf of: The attacker can hide his “From” field.

4.The user’s mailbox has been blocked from sending emails.

8 WebUI Deletion

During a BEC investigation, we identified emails that were deleted without the knowledge of the user.

Once you’ve completed your investigation in Exchange, you can modify your search to look for suspicious user activity in other resources like OneDrive and Share point, as well as local resources like Active Directory and File Shares.

By investigating other resources at Varonis, you may identify other indications of malicious activity outside of Exchange. Other unsuspecting users may receive a shared link for these files and accidently compromise local resources with malware by opening them. In other cases that we investigated, attackers leveraged compromised O365 credentials. Moreover to download large amounts of data from SharePoint Online and OneDrive.

Understanding the scope of the incident, particularly in terms of the network resources used during the attack. Those are necessary steps in ensuring the incident is contained and beginning the recovery process.

Tips for Remediation

After completing the investigation and regaining access to the compromised accounts. It is strongly recommended the below steps to prevent the hacker from regaining access in the short term in business compromise email.

  • Reset the PW of compromised or suspicious accounts and their sessions to force re-authentication.
  • Clean up the inbox settings of this compromised account by removing any suspicious forwarding or inbox rules.
  • Find other accounts that may have used this Exchange account as their primary or secondary email and repeat this.

After completing these initial steps, you may want to take additional steps to harden your network. It helps to prevent similar future incidents, such as enabling multi-factor authentication, blocking traffic from IP addresses. Those are known as malicious or suspicious locations, or the guarantee of email authentication standards.

Administrative controls such as electronic fraud prevention controls and procedures can serve as the last layer of defence, preventing irreversible theft from the organization.

As a courtesy, we recommend reminding users to review personal security in their private email or social media. This is to ensure that they do not reuse passwords across different work and non-work platforms. Administrative controls by non-IT departments, to prevent electronic fraud, can serve as the final defence against financial damage.

The compromise of business email remains one of the costliest forms of cyberattacks targeting organizations worldwide. By implementing a layered approach to cybersecurity controls and user activity monitoring in Exchange and other security solutions like Varonis. With Those you can improve your organization’s security posture and protect your users against BEC and other forms of cybercrime. .