Account Takeover (ATO) resulting in business email compromise (BEC) is one of the most pressing threats to today’s organizations. Email clients were tied for the first most common action vector in Verizon’s Data Breach Investigations Report, and phishing grew significantly in the report as one of the most widely used tactics among attackers.
Account Takeovers and BEC that come from it are especially dangerous because they can be carried out at massive scales by both novice and sophisticated attackers. And, since it preys on base human nature through social engineering, ATO and BEC can affect anyone.
In the face of the pervasive threat of BEC, organizations need a way to effectively combat it and prevent breaches. Thankfully, there are technological and process-driven solutions that you can employ to take BEC head on and protect your business. Before that, however, let’s look at why BEC presents such an issue.
The threat BEC poses is immense as it can result in many negative business outcomes. Take for example the tactics of the Söze Syndicate:
In this attack, a user received a phishing email prompting them to insert their Microsoft 365 credentials into a spoofed webpage. Through a proxy infrastructure, the adversary from the Söze Syndicate routed the credentials into a valid Microsoft login page to intercept the session token, posing as the actual user.
Doing so gave the Syndicate full access to the user’s account, allowing them to create new valid session tokens and take over the user’s email account. Then, they used the access to request a new payment destination on an invoice to steal the funds.
Using similar tactics as above, the Syndicate stole and validified credentials using a phishing email and proxy. Then, instead of taking over the user’s email, they logged into their M365/SharePoint environment.
From there, the threat actor created a fake document appearing to come from within the organization, propagating it to others within the business to click on in a phishing email coming from the original user’s account. Then, the other employees were similarly phished for their credentials and multi-factor authentication (MFA) information.
Armed with multiple sets of credentials, the Syndicate also used their stolen access to download a new web client application which allowed the threat actor to clone the inbox. This gave them continual access to its entire contents without any additional login, using this rogue application to evade further detection.
This cloned inbox gave the Syndicate insights into high-value targets connected to the attacked organization. These individuals became new targets of further phishing and BEC campaigns.
Beyond these recent real-world examples, ATO resulting in BEC has been used to propagate ransomware payloads, steal credentials for web application account misuse, and other nefarious activities. These all pose serious risks to an organization, leading to account takeovers, data loss/exfiltration, and establishment of persistence among other outcomes.
Of course, the ramifications of these attacks can disrupt business activities and lead to even more severe consequences. The reparations, compliance fines, and loss of credibility/customers resulting from BEC can be potentially terminal for a business and must be defended against.
Despite its prevalence and severity, ATO and BEC can be detected and stopped. Here are several techniques to stem the tide of BEC in your organization.
One of the most important techniques to fight BEC is to train your employees about the critical role they play in security operations. After all, they are the ones receiving phishing emails and potentially clicking on the links or documents that can lead to exploitation.
Implement routine training to help users to identify the signs of BEC. Be sure to include common indicators such as spoofed email addresses and links, misspellings, and false urgency used to prompt responses. Surprise phishing exercises put on by the internal security team help maintain constant vigilance and build a security-first culture.
More than anything, it’s important to reinforce that employees should always take a moment to review emails and report anything remotely suspicious to the security team. Of course, with more sophisticated BEC tactics like those used by the Söze Syndicate, emails may appear to be from a coworker or manager, so more advanced defense techniques are required.
Organizations can employ technological solutions that automatically vet incoming emails and quarantine suspicious sends for further review. These tools examine emails and identify common indicators of phishing emails to take much of that burden off employees. They can also include analysis tools that help an employee to stop, think, and take their due diligence before acting on an email, with one-click report functionality to send the suspicious email to the security team.
Ideal email security solutions go a step further, leveraging AI models to scan email contents and compare them to previous user behaviors. This in turn helps identify anomalies that may indicate a compromised account being used by an adversary.
A comprehensive security platform with built-in ITDR helps protect organizations by providing both preventative measures and ongoing detection to help identify and respond to identity threats including BEC attacks. Combining EDR/NGAV, SASE, SIEM, SOAR, MXDR, ITDR and more, the consolidated solution uncovers anomalies associated with BEC activity to help organizations make informed decisions on how to combat adversaries. And, with 24x7 monitoring through MXDR, the business is protected around the clock to stop BEC attacks whenever they arise.
When used together, these techniques can help organizations significantly reduce the impact of BEC on their operations and stop many attempts altogether. You can uncover more actionable insights about BEC and how to defend against it by attending our upcoming webinar. Featuring thought leaders from INKY and Todyl, the webinar will cover more real-world BEC examples, defense techniques, and other useful tactics for getting buy-in for implementation.
Secure your spot today; register here.