🟢 DISCOVER DETOX FOR MICROSOFT 365 COPILOT : 2 STEPS TO REDUCE DATA EXPOSURE! START YOUR RISK ASSESSMENT 👉

Security

11 September 2018

Business Email Compromise – why the fuss?

Illustration of an business email compromise

BEC is perhaps the latest, or maybe hottest, security scare acronym – Business Email Compromise. It’s a catchall term which reflects the fact that ‘email is still the number one threat vector facing organisations1.

And that’s for two reasons: it’s constantly used for broad sharing of information within and outside of the business, and it’s also your digital identity – if I can access your email, I can be you. But… this has all been true for decades. So what’s new?

I think it’s this: typically, when people think about email security they think about viruses, malware, and phishing. And when we think about email scams, the most high profile ones are phishing related. The level of sophistication can be phenomenal – just look at how detailed this attacker got in order to extract substantial funds.

So here’s the new bit (yes, I’m finally getting there): in a substantial number of cases, attackers are actually compromising a corporate mailbox.  I don’t mean they are sending really, really good fake emails, I mean they’ve actually got the credentials to log into the CEO’s email, or someone else in the business.  Recent research found that 44% of organisations were victims of account takeover-based and related types of attacks2.  This makes it pretty much impossible for anyone in the company to spot when the email they receive was not really from the purported sender. 

In a recent example at Save the Children, ‘hackers broke into a worker’s e-mail, posed as an employee, and created false invoices and other documents, to fool the charity into sending nearly $1 million to a fraudulent entity in Japan’3.  Just a few days ago, thousands of sensitive documents were stolen by hackers in a cyber-attack on the investment bank Evercore: the hackers gained access a PA’s inbox, leading to the theft of huge numbers of documents and emails4.

Some subtle attackers have a different approach: compromise the account, but don’t send any emails.  Instead, simply put in place an inbox rule to forward emails from the compromised account to the attacker. Numerous customers have told me they have suffered from precisely this attack (no, not giving any names, sorry), and it’s even possible to hide the rules so they cannot be seen in an Outlook client5.

Which all leads to two really good questions:

  • How is it happening?
  • How do I protect my company?

The answer to the first is, unsurprisingly, not straightforward.  Phishing of one sort or another is frequently the starting point, and there’s an increasing number of vectors which are now defeating even multi-factor authentication (MFA). That’s a bit too detailed for this article and is well worth a blog on its own, so watch this space – I’ll get right to it.

And for the second, no big surprise, no single answer. User awareness education helps (reducing the chance that your team members succumb to phishing attacks, helping them identify malicious WiFi, etc). Automated tools to identify dodgy emails and rogue websites, can be part of your armoury. And as I imply above, MFA makes it tougher, but not impossible, for the attacker.

Ultimately, though, all these approaches can be, and in many cases will be, defeated. This leaves you with perhaps the most critical defence: monitoring and detection. You need to identify immediately an attacker has compromised an email account in your environment.  This can be done by accurate analysis of typical user behaviour and is at the heart of the IDECSI MyDataSecurity. I won’t say more here, but this earlier blog post gives you a good flavour.

A few words about Ben Miller

Ben Miller is an experienced technologist and entrepreneur with a background in mathematics and software engineering. He is focused on bringing new technologies to market, which change conventional thinking. Within cyber security, we have long been used to complaining about users, and driving more work into the security team. Ben’s particular focus today is technologies which challenge this approach and instead make user empowerment a key part of the cyber discussion.

[1] https://blog.barracuda.com/2018/02/28/why-email-still-reigns-as-number-one-threat-vector-and-what-to-do-about-it/
[2] https://www.agari.com/insights/analyst-research/best-practices-against-phishing-ransomware/
[3] https://www.bostonglobe.com/business/2018/12/12/hackers-fooled-save-children-into-sending-million-phony-account/KPnRi8xIbPGuhGZaFmlhRP/story.html
[4] http://www.thetimes.co.uk/article/19866a34-061c-11e9-aef4-fa8d5c1f7f40
[5] https://blog.compass-security.com/2018/09/hidden-inbox-rules-in-microsoft-exchange/

Our articles

These articles may
interest you

Microsoft Copilot: 5 advice for data access secure
Microsoft 365
Security
Trends

Microsoft Copilot: 5 advice for data access secure

Lire l'article
Illustration of a dangerous share in Microsoft 365
Microsoft 365
Security

How to reduce the risk of shared data in Microsoft 365

Lire l'article
Access review
Security

M365 Collaboration Tools Access Review

Lire l'article
Classification with MIP
Microsoft 365
Security

Classify and protect sensitive data: focus on MIP

Lire l'article

Data protection, let's discuss your project?

 

Contact us
video background