Business Email Compromise (BEC) continues to evolve into one of the most pervasive and damaging cyber threats in the modern digital landscape. As small and medium businesses enhance their defenses with endpoint security, attackers are adapting, seeking new ways to bypass these barriers. The shift in tactics is stark: rather than rely on traditional malware, threat actors are exploiting human error, trust, and communication channels, focused on services that remain vulnerable.
This threat has intensified as bad actors sharpen their tactics, becoming more sophisticated in their approach. Despite the rising danger, many organizations remain without Identity Threat Detection and Response (ITDR), leaving a critical gap in their defenses and creating a prime target for attackers. They exploit it with precision, using tactics like credential theft, adversary in the middle (AiTM), and session hijacking, continuously refining their tactics, techniques, and procedures (TTPs) to evade detection. MFA alone is no longer enough.
Throughout 2024, the Todyl MXDR team witnessed a staggering 558% surge in AiTM, account takeover (ATO), and BEC-related attacks. Most recently, they uncovered a suspicious access pattern originating from a small hosting provider targeting Microsoft 365 services.
The pattern revealed a failed login attempt, swiftly followed by a series of successful logins without any subsequent mailbox access or obvious malicious activity afterward. Threat actors often use this tactic to verify credentials and steal valid Microsoft 365 access tokens, which are later sold on underground marketplaces.
Starting with the rapid, likely automated login activity, we enabled a targeted threat hunt. This proactive approach enables us to continuously improve our detection capabilities, staying ahead in the ever shifting threat landscape.
We began by analyzing Microsoft 365 and Azure logs, merging telemetry from both sources to gain a clearer picture of the threat actor’s behavior. Microsoft 365 telemetry alone provides limited insight, and Azure’s threat detection capabilities are also constrained. These blind spots make it challenging to correlate activity across platforms, especially as threat actors can pivot between hosted applications like SharePoint, Outlook for Web, and OneDrive.
To tackle this, we correlated Microsoft 365 and Azure logs with our own behavioral analytics to better detect suspicious activity as additional data, such as session token IDs or source IP addresses, are often required to fill visibility gaps. By analyzing all available telemetry, we traced the potential BEC activity back to the threat actor’s infrastructure, revealing a fleet of cloned servers spanning multiple ASNs. These servers were all involved in the malicious activity and identical down to the operating system patch.
As our investigation progressed, we uncovered more commonalities across the ISPs, many of which were smaller international providers, hosting multiple IP address blocks in the US. Based on these commonalities, we implemented additional anomaly detections to monitor activity from these source IPs and to identify signs of compromised user accounts.
Our threat hunting not only enhanced our anomaly detections, but enabled the team to uncover a vast identity attack infrastructure, spanning thousands of hosts across multiple regional and local ISPs in the US and internationally. By merging this new data with our previous findings, we pinpointed suspicious activity from source IPs and identified patterns that signaled compromised user accounts, exposing the full scope of the attack infrastructure.
New Jersey, United States of America
37%
Hesse, Germany
15%
England, United Kingdom
9%
New York, United States of America
8%
California, United States of America
7%
Île-de-France, France
7%
Florida, United States of America
6%
Limburg, Netherlands
4%
Quebec, Canada
3%
Zurich (CH), Singapore (SGP), Oslo (NOR), and 2 more...
5%
The sheer volume of hosts is staggering, and managing such a large fleet requires significant capital and automation, pointing to a well-funded and operationally mature group. They also leveraged trusted proxy services like Cloudflare to hide their phishing lures and malicious login pages, enabling them to bypass web security gateways and URL filters, further underscoring their advanced capabilities and sophistication.
The threat actor's infrastructure, along with the organizations they targeted, raised many questions and sparked conversation around their true objectives and capabilities:
In the remainder of this article, we break down the TTPs linked to this group and share three real-world stories that illustrate the challenges of detecting and responding to these sophisticated attacks.
The threat group infrastructure is incredibly active and has accelerated over the last 3 months. At the peak, approximately 65% of all attempted BEC cases across Todyl came from this group, with the vast majority being pre-infected and newly onboarded organizations. The attacks targeted everything from very small businesses to mid-market companies across legal, construction, critical infrastructure, defense, health care, non-profit, and many other industries.
The group exhibits high levels of patience with low and slow tactics, attempting to avoid detection while using advanced impersonation techniques to compromise accounts. Their TTPs are highly effective at bypassing multi-factor authentication, and use a variety of different strategies including:
After the initial compromise and theft of session tokens, they put significant effort into remaining stealthy, attempting to hide their activity by installing applications or logging indirectly from Microsoft using outlook.office.com or Azure.
The threat actors use different service providers for different purposes, including password spraying, scanning, and running as relays. They frequently pivot between the different host blocks, using one for initial compromise and another for ongoing monitoring of mailboxes. By doing so, they make it even more difficult to track.
It's important to note that this is an ongoing investigation. As such, we omitted IoCs from the article to ensure we can continue working with authorities.
Before diving into the three stories, here are steps every business should take to strengthen their security posture against these attacks.
Building up such an extensive infrastructure takes time and resources that demand a significant return. The threat actors behind this are financially motivated, sophisticated, and leverage operational security practices to evade attribution and detection as evidenced by the following three stories.
Target Organization
Small non-profit
Attacker Target
An individual supporting the non-profit’s operations with access to financials.
Attacker Objectives
Compromise the target's Microsoft 365 identity to uncover potential opportunities for financial gain.
Relevant Todyl Modules
Detection Challenges
The business was pre-infected prior to deploying Todyl. The threat actor used very manual, low and slow tradecraft that was virtually indistinguishable from typical user activity.
Detection Data Sources
Todyl Detection
Upon ingesting just three days’ worth of Microsoft 365 and Azure data, our anomaly framework detected the attempted BEC.
Todyl Response
Todyl SOAR automatically revoked access at the same time the alert triggered. We identified an attempt to change payment destinations for an invoice, sent an alert, and closely coordinated to prevent the transfer from occurring.
Target Organization
Mid-size manufacturer
Attacker Target
The attack began with executives in product development and supply chain—likely an opportunistic approach—and possibly indicative of purchased credentials. Both users were attacked on the same day within an hour.
Attacker Objectives
Pivot more deeply into the organization, specifically targeting users related to finance or accounting. Infiltrate the target’s Microsoft 365 identity to identify opportunities for financial gain.
Relevant Todyl Modules
Detection Challenges
Threat actors target internal infrastructure, such as SharePoint, for several reasons:
Detection Data Sources
Todyl Detection
Todyl detected anomalous access and SharePoint file creation. The configuration was set to detect-only and neither SOAR or MXDR were enabled.
Todyl Response
Despite not having MXDR enabled, we closely coordinated to ensure access was completely reset for all the affected users prior to any exfiltration.
Target Organization
Small accounting firm
Attacker Target
The initial foothold was an individual accountant
Attacker Objectives
Pivot to other internal staff to intercept and modify payment instructions.
Relevant Todyl Modules
Detection Challenges
If installation of the software is allowed, further login activity is not required. The user’s mailbox can be cloned, and further access to mail is allowed directly without login.
Detection Data Sources
Todyl Detection
Todyl triggered an immediate alert based on a rogue application ID. Further analysis showed the threat actor assembling a list of potential victims and creating emails for a spearphishing campaign to internal and external targets.
Todyl Response
The business did not yet have our MXDR services or SOAR configuration in place, and were promptly notified via SIEM to take action and revoke the application.
Our investigation highlights the importance of having ITDR with ML-powered behavioral detections to identify and stop threats early. Most BEC and ITDR solutions depend on static, signature-based rules to detect activities like impossible travel and mail forwarding, which can be noisy, unreliable, and are often triggered well-after initial access.
Threat actors are aware of what triggers traditional detection rules for identity-based attacks and BEC. This makes it crucial to look for anomalies---instances where behavior deviates from a user’s expected activity---to identify threats that would otherwise go undetected.
At Todyl, our anomaly framework lives in Todyl Managed Cloud SIEM and is fully integrated with our SOAR module, resulting in earlier, high fidelity detections with minimal noise that can automatically shut down initial access. Our anomaly framework uses ML rules to correlate anomalies, linking seemingly unrelated activities together. By doing so, security teams can detect threats earlier while simultaneously improving true positive rates.
By leveraging this ML-powered anomaly framework, we address the deficiencies of static and signature-based detection techniques. This approach enables us to take a different approach to ITDR at Todyl, which is included in our MXDR offering, providing fewer false positives, faster detections, and improved security outcomes.
For additional threat intelligence updates, subscribe to our newsletter below:
