Microsoft is releasing the fourth edition of Cyber Signals, a report that highlights the trends, tactics, and solutions that matter most in the digital threat landscape, with an increase in cybercriminal activity surrounding corporate email compromise (BEC). Between 2019 and 2022, Microsoft saw a 38% increase in this type of crime, representing an acceleration of cyberattacks costing organizations hundreds of millions of dollars a year.[i]
In 2022, the FBI Asset Recovery Team (RAT) initiated the Financial Fraud Elimination Chain (FFKC) computing 2,838 claims involving domestic transactions with potential losses of more than US$ 590 million.[ii] Attacks of this type of fraud are distinguished in the cybercrime industry by their emphasis on social engineering and the art of deception. Between April 2022 and April 2023, Microsoft Threat Intelligence detected and investigated 35 million attempted attacks, representing an average of 156,000 attempts per day. [iii]
Common BEC Tactics
Attempted BEC attacks can take many forms, including phone calls, text messages, emails, or social media outreach. Impersonating authentication request messages and impersonating individuals and companies are also common tactics.
Rather than exploiting vulnerabilities on devices without a security update, cybercriminals exploit the universe of email traffic and other messages to lure victims into providing financial information or taking a direct action, such as unknowingly sending funds to “money mules”, which receive amounts from third parties in their account and help cybercriminals to carry out fraudulent transfers.
Invented EmergenciesBullet "noisy" ransomware with strong and disturbing extortion messages, these cybercriminals play a silent trust game, using invented deadlines and urgencies to entice recipients, who may be distracted or used to these types of last-minute requests. Instead of new malware, these cybercriminals align their tactics to focus on tools that improve the scale, plausibility and success rate of the malicious message inbox.
Microsoft sees a significant trend in the use of platforms such as BulletProftLink, a popular service for create industrial-scale malicious email campaigns, which sells an end-to-end service including templates, hosting, and automated services for BEC. Cybercriminals using this CaaS are also given IP addresses to help guide attack targeting.
The tool's decentralized link design includes public Internet computer blockchain nodes to host phishing and BEC websites, creating a decentralized web structure that is even more sophisticated and difficult to disrupt. The distribution of the infrastructure of these sites through the complexity and evolutionary growth of public blockchains makes identification and removal actions more complex.
“As a security executive, I am of the opinion that the use of residential IP addresses in a number of prominent attacks is cause for concern. Microsoft recognizes and shares the concerns of international federal agencies and other organizations that this trend could expand rapidly, posing significant challenges in terms of detecting suspicious activity using conventional alarms or notifications,” said Vasu Jakkal, Vice President of Security, Compliance, Identity and Privacy at Microsoft.
While cybercriminals have created specialized tools to facilitate the BEC attack, including phishing kits and lists of verified email addresses targeted at leaders in areas such as accounts payable and other specific functions, companies can use methods to preempt attacks and mitigate scratchs. Simeon Kakpovi, a senior threat intelligence analyst at Microsoft, says "all it takes is email compromise, credential phishing, social engineering and sheer determination."
Attacks targeting corporate emails offer a great example of why cyber risk needs to be addressed cross-functionally with executives and leaders, finance officers, human resource managers and others with access to employee records such as social security numbers, tax returns , contact information, and calendars, along with IT, compliance, and cyber risk employees.
Recommendations for combating the BEC
- Use a secure email solution: Today's email cloud platforms use AI capabilities such as machine learning to enhance defenses, add advanced phishing protection and suspect forward detection. Cloud apps for email and productivity also offer the benefits of continuous, automatic software updates and centralized management of security policies.
- Protect identities to prohibit lateral movement: Protecting identities is a fundamental pillar in the fight against BEC. Control access to apps and data with Zero Trust and automated identity governance.
- Adopt a secure payment platform: consider switching from emailed invoices to a system specifically designed to authenticate payments.
- Train employees to identify warning signs: continually instruct employees to identify fraudulent emails and other malicious messages, such as a mismatch in domain and email addresses, and the risk and cost associated with successful BEC attacks.
For more information and guidance on threat intelligence, including previous editions of Cyber Signals, visit the Security Insider. To learn more about Microsoft security solutions, Visit our website.
[i] # Cyber Signals Problem 4, Microsoft, 2023.
[ii] EmTernet Crime Complaint Center 2022 Statistics, FFARIA.
[iii] Cyber Signals. Ibid.
