Protecting Against BEC AttacksA combination of technical and non-technical security controls can mitigate business email compromise attacks. By: Troy Bettencourt, Director - Incident Response
In business email compromise (BEC) attacks, a threat actor usually compromises a corporate email account and uses that account to send fraudulent emails. Based on Secureworks® incident response engagements, the most common approaches for stealing money are email chain injection and C-level fraud:
- In email chain injection, the threat actor intercepts an existing payment-related email chain, impersonates the owner of the compromised account, and requests a change to payment information (usually modifying the routing information to redirect the payment to the threat actor's bank account and sometimes increasing the amount due as well).
- C-level fraud involves a threat actor compromising an executive's email account and then impersonating the executive to instruct accounting or finance staff to send funds to a specified bank account. The emails are often positioned as an emergency (e.g., the CEO is traveling and immediately needs funds for a deal, a large vendor is upset about a missed or erroneous payment), and a sense of urgency is used to pressure the targeted employee to react quickly.
Multiple security controls can help prevent the initial account compromise, alert defenders about suspicious activity, or establish processes to thwart efforts to steal money. There are two main types of security controls: technical and non-technical.
BEC attacks often begin with a phishing email that directs the recipient to a fake login page where the threat actor can harvest credentials. The page typically mimics the legitimate login page of a commonly used platform such as O365, Gmail, Yahoo, Adobe, or DocuSign. Technical controls can make it more difficult for the threat actor to steal credentials by blocking access to the credential-harvesting websites:
- Deploy a web filter to block the fake login pages. Web filters can block known-bad websites as well as sites that do not have a reputation score. Many threat actors rotate their infrastructure once it is classified as malicious, so it is important to also filter newly created sites. Websites that do not have reputation scores could be new versions of the malicious sites. Blocking websites with no reputation score can help mitigate BEC attacks but can also impact business operations. Organizations should consider the potential implications when implementing web filtering and continually adjust as appropriate.
- Defang malicious links. Some email security solutions can defang or redirect malicious hyperlinks that are embedded in phishing emails. While this control can cause some disruption to business operations, Secureworks incident responders have observed successful implementation in customer environments.
If user credentials are stolen, other controls can mitigate the impact:
- Implement multi-factor authentication (MFA). MFA is the most effective control to limit threat actors' ability to use stolen credentials. In addition to mitigating BEC attacks, MFA also helps prevent credential-based attacks against a network perimeter (e.g., Remote Desktop Protocol (RDP), virtual private networks (VPNs), Citrix) and can slow the threat actors' lateral movement if they gain access to a network.
- Consider geo-blocking.This control blocks logins from countries where users are not typically located. This option is more straightforward for organizations without international operations, but international organizations can block countries where they do not have a presence. Geo-blocking can create challenges when employees travel and then check their mail. Additionally, threat actors sometimes use infrastructure (e.g., VPN services, open proxies, or compromised hosts) located in the same country as the victim. This tactic can defeat geo-blocking, but geography-based controls such as impossible travel add an additional layer of protection.
- Disable legacy authentication methods. Login methods such as IMAP and POP are commonly used by email clients like Outlook or native email apps on mobile devices that do not support MFA. Microsoft Azure Conditional Access policies can control legacy authentication usage more tightly if necessary.
Secureworks incident responders have observed an increase in “MFA bombing.” In these attacks, threat actors generate a series of MFA prompts to convince the targeted user to grant access. Victims often comply because they want to make the requests stop or they assume that the repetition is normal behavior.
Based on Secureworks incident responders' experience, this tactic is particularly effective during evenings, weekends, and the start of the business day. Organizations can limit the effectiveness of this attack by requiring users to manually enter an MFA code when accepting or denying the request. Some implementations include a map in the MFA prompt to indicate where the request originated. Training users to confirm that the request came from their physical location further increases the organization's security posture.
User behavior is the most difficult factor to control and predict, and users often contribute to security failures. By training employees to recognize common BEC tactics and establishing internal processes to verify requests and report suspicious activity, organizations can significantly reduce risk.
Implementing the following non-technical controls for account changes or large payments can help organizations detect BEC attempts. In multiple Secureworks incident response engagements, the victims could have avoided losses of hundreds of thousands of dollars by applying these controls.
- Implement a "two-person" rule. A second employee should review a request to modify payment information and should verify proper implementation if the request is deemed legitimate. Some organizations require this sanity check for all changes, while others set a monetary threshold for when this check is required.
- Require telephonic/in-person verification. Employees must confirm the requested changes with the established point of contact via a telephone call or in-person meeting. The contact's phone number should be obtained from the internal employee directory or from the customer relationship management (CRM) or vendor management solution. Email cannot be trusted, as a threat actor may control the account.
Additionally, organizations can create a culture in which employees are encouraged to challenge non-standard requests (e.g., payment and account changes). The employees should feel safe from retribution, even when questioning management staff and external vendors. Their suspicions and diligence could save the organization thousands of dollars, if not more.
In addition to the financial impact of BEC attacks, organizations can experience reputational damage and loss of customers' trust. Combining technical controls with non-technical controls is key to guarding against these attacks.
To help customers mitigate BEC, Secureworks researchers created a Business Email Compromise detector in the Taegis™ XDR platform. Learn more about Taegis XDR and register for a free trial. If you need urgent assistance with an incident, contact the Secureworks Incident Response team.