Arctic Wolf recently published a survey of attacks from the first half of 2022 and found that there was a significant uptick in Business Email Compromise attacks.
In the first quarter of 2022, the percentage of BEC attacks was 17.1%; in the second quarter, it was 33.9%. The finance industry, insurance and government sectors were the hardest hit.
Business Email Compromise has become the most financially damaging attack. Why? Because it's very difficult to say no to what looks like a legitimate email from your boss. And without malware or malicious links, it's incredibly difficult for security services to uncover.
Think about this example that we wrote about in our Attack Briefs.
The user is presented with an email from the CFO of this major corporation. The CFO asks the recipient of the email to make payment to this insurance company. West Bend Mutual is a legitimate company; even more clever is the fact that the URL in the from address takes from their slogan. However, this is clearly a fake, as the “reply-to” address at the top of the email differs from the company’s email address. You’ll notice the banner that shows the email wasn’t from the displayed sender. This was added by the tenant’s generic Office 365, not Proofpoint. It is the only thing that alerted the end-user that something was amiss.
Beyond that, hackers are able to send tons of these attacks out at once, as we saw in this example that overtook student accounts. This is a volume-based attack; gain a lot of small victims and it quickly adds up.
To protect against BEC, you need internal context.t. What does this mean? It means
that the security solution has an understanding of the context of conversational relationships within an organization. If a solution monitors only inbound email, when they see an email from the ‘CEO’ to the ‘CFO’, it will be the very first time it has seen such a conversation. For an email solution that is deployed inside the cloud email server, it will see thousands of similar real, internal conversations. From there, the solution can understand if this is a typical conversation or not. Within hours of the first deployment, Avanan’s AI scans a year’s worth of email conversations to build a reputation network, the type of internal context that alerts the AI to something suspicious. That gives Avanan an idea of what’s normal and what’s not.
Avanan also scans and quarantines internal email and files in real-time, protecting against east-west attacks and insider threats.
With BEC, sometimes the executive is spoofed and the sender address is different than the actual one. But other times, the account can be fully taken over. In that case, full-throttled account takeover protection is needed. With our anomalies engine, we can determine whenever there is a foreign login.
We can notify admins or send notifications to SIEMs/orchestration systems to disable an account until an MFA and/or password reset is made. Beyond that, our event analysis algorithm identifies behavior that can be a sign of account takeover. We do a historical scan that monitors over 100 event indicators and correlates them to identify previously compromised accounts. Among the many things we monitor:
- New logins from new devices, locations or browser
- Suspicious mailbox configurations
- Disabling of multi-factor authentication
- Multiple password resets in short periods of time
- By coordinating these indicators, we can understand when an account might be in the process of being taken over, and block it accordingly
BEC can cause an organization harm--but it doesn't have to. With the proper tools and sophisticated AI, it doesn't to ruin your business and cause monetary loss.