BEC Attacks: The Email No Organization Wants To Receive

Initial access techniques are not one size fits all, and threat actors employ a variety of tactics to achieve their goals. Campaigns can range from complex, targeted attacks on specific users to indiscriminate phishing emails sent to many organizations.

In targeted attacks, threat actors might use open-source intelligence (OSINT) to gain information about the target’s upcoming events, vendor relationships, and tools it uses to make their attacks more convincing. They also might use OSINT to gain employee information, such as job titles and positions, from publicly available sites to target users who might have access to financial systems and sensitive information, such as invoices and payroll.

Phishing sites are one of the most common mechanisms threat actors use to gain access to accounts. In the past, phishing sites were rudimentary websites with a simple form that collected usernames and passwords. Now, phishing sites have evolved to handle MFA session-stealing. With tools such as Evilginx2 and easy-to-use phishing-as-a-service platforms, such as Tycoon 2FA and EvilProxy, threat actors commonly use adversary in the middle (AiTM) sites to target users. AiTM phishing sites function as a proxy between the user and the target service by capturing input and session tokens as the user authenticates. AiTM phishing sites differ from traditional phishing sites in that they can match expected organization-specific login backgrounds, relay MFA prompt requests, and display the exact visual interaction aspects of the targeted site. The official URL is the only item not controlled by the threat actor. AiTM phishing sites pose an increased risk because they can defeat many common forms of MFA, and they present a more convincing interaction to the user. Often, users do not know that they’ve entered their credentials into a phishing site.

Malicious open authorization (OAuth) applications are another common technique in BEC attacks, and they demonstrate that threat actors do not need to have credentials to an account to do damage. Wide-reaching permissions can be granted to external parties via OAuth applications that allow threat actors to exfiltrate email contents and send emails. Users are more suspicious when being prompted for credentials than approving an application. Additionally, OAuth applications can be added to an account after unauthorized access is obtained to maintain persistence with the account. Continually reviewing user and enterprise applications in the organization’s email environment helps prevent unwanted applications from gaining access to the organization’s data.

After threat actors gain initial access, they typically search for specific keywords, such as wire, payroll, invoice, and virtual private network (VPN), to identify emails with potential invoice data that might enable future social engineering-based financial fraud or to identify potential other uses of the obtained credentials. Additionally, once they have obtained access, they will often connect to the mailbox via a web interface or third-party mail client such as Mozilla Thunderbird or Microsoft Outlook™ software. Some of these mail clients allow offline access and will sync the mail to the threat actors’ mail client, which allows threat actors to exfiltrate entire mailbox contents and review the emails offline without generating additional log events. With such access, they can also download attachments or save emails from web interfaces to review and save for offline viewing. These actions can be tracked through event logging for some email servers.

Short- and long-term consequences of BEC attacks

Why do threat actors put so much effort into gaining access to email accounts? Perhaps the question should be, why wouldn’t they? Given the potential points of access email accounts inherently have, they represent a target ripe for compromise. Unsurprisingly, a major motivation is money.

Once inside, attackers can quickly turn unauthorized access into direct monetary gain. Common tactics include redirecting invoice payments, manipulating payroll to divert funds, initiating unauthorized automated clearing house transfers, or creating fraudulent purchase orders. These attacks can yield significant financial rewards before they’re even detected.

The financial and operational consequences of BEC attacks can be severe and wide-reaching. For instance, fraudulent invoice payments might go unnoticed for days or even weeks, by which time the funds are unrecoverable. Often, organizations become aware of the fraud only when the legitimate vendor asks about a missed payment. This type of attack forces the organization to bear unexpected costs while simultaneously responding to the incident. Inside organizations, payroll redirection represents a dual threat that inflicts harm on the business and its employees. The business faces financial loss and must act quickly to resolve the issue and restore trust. Affected employees do not receive their expected wages, which causes significant personal and professional disruption.

BEC attacks are also a gateway to broader compromise. Beyond immediate financial impact, compromised email accounts can act as a launchpad for further attacks. Many organizations use single sign-on, which means access to email might also provide access to other critical systems such as VPNs, help desk portals, human resources platforms, and other applications. Attackers can then move laterally within the network and potentially escalate to ransomware attacks or data exfiltration. Threat actors also use hijacked email accounts to send phishing emails to contacts, either inside or outside the organization. These emails, appearing to come from trusted sources, are often quite convincing and can lead to additional account takeovers and extend the scope of the attack. Hijacked email accounts increase the risk of further compromise, and they pose significant reputational damage to the organization.

The ripple effects of a BEC attack extend far beyond initial losses. These incidents can lead to reputational harm, regulatory reporting obligations, and loss of trust. The more extensive the compromise, the more complex and resource-intensive the response must become.

Defending against BEC attacks

Protecting against BEC attacks requires a multilayered approach that places controls at each step in an attack chain. Controls can be placed at various phases of an attack: reconnaissance, credential acquisition, authentication, and monetization.

Reconnaissance controls. Controls for initial reconnaissance focus on limiting publicly available information about an organization that attackers can use to conduct a phishing or social engineering attack. Basic first steps include limiting information regarding organizational internal structure, roles of employees, and vendor relationships. In addition, publicly posted organization charts, contact directories, or even a few internal emails showing the email naming convention can all be used by threat actors, so organizations should limit what they release.

Beyond their websites, organizations need to be concerned about a different form of publicly available information: social media. Organizations should educate employees on acceptable social media interaction and behavior regarding details related to specific jobs or projects. Specifically, employees should understand how sharing information online can be used against the organization and that threat actors rely on gathering this information to make social engineering attacks more effective. One option that organizations might consider is to conduct an OSINT audit to find what information is publicly available. By limiting public information, phishing efforts have fewer convincing details to work with, and, ideally, they are less effective.

Credential acquisition controls. Controls for credential acquisition include a mix of user education and technical controls. Robust email filtering solutions can help protect phishing emails from reaching employees, and user education can help prevent users from falling victim to social engineering or phishing attacks. Additionally, web traffic filtering solutions can prevent access to known phishing domains. Deploying appropriate controls regarding credential acquisition can prevent attackers from ever gaining access to an account.

Authentication controls. Once threat actors have led a user to a phishing site and obtained credentials (or access token), they then must authenticate in order to access the account. Several controls can help prevent fraudulent authentication, and properly configured authentication can stop attackers from gaining access to an account altogether. Such controls can turn a potential, serious breach into a minor issue, like resetting an exposed password.

MFA is an obvious step, and it should be mandated for all accounts. Note, however, that threat actors can defeat traditional MFA through using modern AiTM phishing sites. Organizations should consider using enhanced authentication that is resistant to current AiTM phishing sites, such as FIDO2 authentication. Most mainstream email providers allow for MFA, though additional configuration or third-party services might be required for on-premises (self-hosted) mail servers.

In addition to MFA, organizations can implement device validation to confirm that a device accessing the account belongs to the organization. Device validation provides a dual purpose: It helps confirm that login attempts are legitimate, and it helps prevent data from being accessed by personal devices that do not include the organization’s security software and controls. Device validation can be accomplished in different ways depending on the email provider. For the Microsoft Windows 365™ platform, conditional access rules can provide device validation for authentications by requiring that all devices be registered and compliant with the organization’s security policies to allow access. For Google Workspace, context-aware access can help determine device ownership and compliance validation. For on-premises exchange servers, the process is more complicated, but it is possible to implement conditional access policies.

Monetization controls. After threat actors have gained access to an account, they will then begin to use that access to monetize their access. Even at this point it is not too late for organizations to prevent negative impacts. Properly configured logging and alerting combined with active and intelligent monitoring and review of abnormal events can help organizations catch incidents before they do real damage. Data from email providers should be ingested into a security information and event management solution, and alerting should be configured for abnormal or risky behavior.

These alerts should be continually monitored and updated to reflect changes in the attack landscape. By proactively implementing effective monitoring, organizations can prevent small issues from escalating into major incidents. For example, the security team can resolve a potential threat with a simple account reset and a quick investigation to help the organization avoid facing costs in the hundreds of thousands. Beyond monitoring and alerting, social engineering-resistant policies can help strengthen the organization’s security posture.

Proactive, layered defense

BEC attacks do not receive the same notoriety as ransomware, but they can cause plenty of damage. However, organizations can be proactive by setting controls and taking specific steps.

Continually informing users of common email scam tactics and implementing authentication controls helps protect against compromise. Implementing effective monitoring and alerting for key indicators in logs helps detect and resolve compromises when they occur. Effective user education and policies can help limit the impact of compromises that go undetected.

By continually reviewing and updating security controls in their environment, organizations can defend themselves against increasingly savvy threat actors and strengthen their security posture.

Microsoft, Outlook, and Windows 365 are trademarks of the Microsoft group of companies.