Business Email Compromise – When Traditional Controls FailTraditional understandings of phishing prevention fall short when dealing with the BEC threat. By: Greg Weir, Incident Response
Organizations have invested huge sums of money to detect and prevent email-based threats. From implementing advanced email security platforms to conducting extensive employee training, addressing this attack vector is a top priority for businesses that want to prevent cyberattacks. But what happens when these traditional email defense methods fail? Business email compromise (BEC) renders many detection mechanisms useless, leaving security teams at a disadvantage and businesses at risk.
The Email Threat Has Changed
As organizations focus on shoring up security controls to defend technical assets, threat actors are evolving their tactics. BEC attacks target employees who execute the routine financial transactions. By convincing employees to transfer large sums of money through existing processes, cybercrime groups can target victims without hijacking the organization’s payment infrastructure. This tactic bypasses many of the controls that businesses rely upon to mitigate the risk from email-based attacks.
An Attack Based on Trust
No attack is the same. Threat actors hone their techniques to maximize financial gain for minimal effort. Secureworks® incident responders have observed the following pattern in BEC attacks:
- An employee of Company A requests a payment from Company B for a legitimate service.
- The threat actor compromises the inbox of either individual by leveraging credential-harvesting pages, reusing credentials from third-party breaches, brute forcing single-factor email portals, or exploiting known vulnerabilities on internet-facing mail servers.
- The threat actor uses this access to monitor email for reconnaissance. Their objective is to understand the terminology used by the businesses, identify what services are being purchased, and locate invoice templates that could be modified.
- The threat actor registers a typosquatted domain that appears to be associated with Company A and then uses an email address from that domain to hijack the ongoing email thread. The threat actor removes the legitimate Company A employee from the conversation to avoid detection and requests that an upcoming payment be routed to a different account.
- The employee from Company B interprets the fraudulent request as a legitimate reply to an ongoing thread and complies with the request to change the account details. The payment for services is then routed to the attacker-controlled account.
This procedure can vary. For example, the attack could involve more than two parties, the emails could originate from compromised infrastructure rather than a typosquatted domain, or the threat actor could send phishing emails that install malware. However, the premise is the same: the attack depends on employees who trust existing business processes, and opportunistic threat actors exploit that trust for financial gain.
Technical Solutions Only Go So Far
Several security controls detect the compromise of an email account. For example, the Secureworks Taegis™ XDR Business Email Compromise detector generates alerts for known inbox rules deployed by threat actors who want to avoid alerting a victim. However, this detection is only applicable for a short time during the initial kill chain. As the threat actor continues to perform actions using the victim’s account or pivots to attacker-controlled infrastructure, detection becomes more challenging. Organizations should consider technical proactive security defenses such as MFA and conditional access, along with human processes such as verifying requests via trusted contact details before performing high-risk actions.
Business Process as a Defensive Step
BEC attacks target business processes. Organizations must harden these processes to mitigate financial loss. Mandatory security training should discuss how BEC threatens the organization. Employees should recognize the warning signs of BEC attacks, verbally confirm requests to change payment or account details via trusted contact mechanisms, and know how to escalate suspicious behavior to the correct business units. When employees adopt a “trust but verify” approach to email, even a small deviation from expected business operation can raise suspicion and prevent the organization from falling victim to BEC attacks.
Financial losses from BEC attacks have increased exponentially, and motivation for threat actors to continue these attacks has never been higher. Organizations need to understand that email security controls are only partially successful at mitigating the threat. Any process that involves trust will be a target for threat actors. Employees are often the final line of defense in combating BEC, and they must have the training, resources, and support to identify and stop these attacks.