Beyond Awareness: Advanced Strategies to Stop BEC Attacks in Their Tracks

Business email compromise (BEC) attacks typically involve a threat actor gaining access to a legitimate email account through phishing and using it to manipulate internal communications, such as deceiving employees into transferring money or sharing sensitive data. This past week, along with colleagues Kamran Salour and Ryan Cook from Lewis Brisbois, we presented a webinar discussing how organizations can reduce risks and mitigate damages from these insidious types of cyber threats. 

The frequency of such attacks has increased in recent years. In 2023, the FBI’s Internet Crime Complaint Center received 21,489 BEC complaints with $2.9 billion in adjusted losses. Additionally, the IBM Cost of Data Breach Report 2024 found that 10% of BEC attacks also resulted in the breach of personally identifiable information (PII) by the compromised organization requiring notification of regulatory authorities and affected individuals under applicable U.S. federal and state data breach laws.   

Pondurance also has witnessed a rise in BEC activity. In 2024, approximately 40% of all new digital forensics and incident response (DFIR) cases seen by the Pondurance team involved BEC. Our team found that two primary factors contributed to the substantial number of BEC attacks: multifactor authentication (MFA) bypass and the lack of optimization of cybersecurity products and services.

Chart courtesy Security Week, March 7, 2024.

In this article, we will delve into each of these factors, looking at how to use various cybersecurity tools and techniques to detect and mitigate BEC attacks in their early stages and suggesting best practices to prevent an attack.

MFA bypass

For the past few years, experts have stressed the importance of organizations having MFA enabled on all networks — even touting MFA as a “cure all” for many use cases. So when the Pondurance team tells organizations that 92% of all BECs they see involve instances where MFA is already fully enabled, the organizations are surprised and want to know how threat actors can get past MFA. 

Threat actors are constantly evolving their skills and searching for new ways to gain access to valuable data for financial gain. In 97% of all BEC cases seen by the Pondurance team, threat actors use readily available phishing kits. With phishing kits, threat actors can create fake websites where users believe they are signing in to, for instance, a Microsoft login page, though they’re not. The page prompts the user for a code, and when the user enters the code, it forwards it to the actual Microsoft login page. At that point, the threat actors have the user’s username, password, and session token. With that session token, the threat actors can log in again for a set period of time without having to submit MFA credentials again. They have successfully bypassed MFA.

This scenario vividly illustrates the critical need for comprehensive security training for all users with access to an organization's applications, especially those stored in the cloud. Even with robust technologies like MFA in place, the human factor remains one of the most vulnerable points in any security strategy. By educating employees on recognizing phishing attempts, safe browsing habits, and the importance of verifying the authenticity of login requests, organizations can significantly reduce the risk of unauthorized access. A well-informed workforce is an essential line of defense against increasingly sophisticated cyber threats, fostering a culture of cybersecurity awareness that protects both the organization and its valuable data.

Optimization

IT and security teams purchase cybersecurity products and services with the best intentions to keep threat actors out of their networks and away from their users. However, despite their best intentions, frequently tools such as endpoint detection and response (EDR) software, aren’t carefully and precisely configured to minimize a threat actor’s ability to circumvent their detection capabilities.  fully optimize the configurations of those tools. Conditional access controls must be properly configured at an optimal level, and alerts must be set up, carefully monitored, and fine-tuned periodically to catch real threats while minimizing false positives.  

There’s also a recent movement in cybersecurity toward requiring a higher-level (E3 or E5) license for many products, such as Microsoft O365. But many users with these higher-level licenses are not properly configuring the products to work for them. They don’t optimize to the full capacity and don’t realize that some of the security features have been moved to a higher-level license. In addition, given challenges in attracting and retaining highly qualified cybersecurity talent in today’s market, organizations would often benefit from tapping outside experts and managed detection and response (MDR) services in order to get optimal expertise focused on setup and configuration of key cybersecurity products.  

Early detection

The earlier an in-house team or service provider can identify suspicious cyber activity in the network, the better. At Pondurance, our MDR and always-on security operations center (SOC) team, have extensive experience in catching BECs in the early stages of attacks in a couple of different ways. First, it’s physically impossible for a user to be in two places at once, so we monitor for multiple logins happening simultaneously from both the network sensor and the Microsoft login. When the team sees this scenario, it’s a telltale sign that something bad is happening. Second, our MDR leverages advanced machine learning and uses SOAR— security orchestration, automation, and response — technology to assist our analysts understanding and automate the escalation of threats to ensure a faster response time. After all, when an organization is confronted with a malicious threat actor, every minute counts.

Best practices

Our team at Pondurance has compiled a list of best practices that organizations can implement to reduce the likelihood of a BEC attack. As mentioned earlier, phishing awareness training ranks as a top recommendation. Every organization has vulnerabilities from a human risk standpoint, so it’s necessary to keep every employee in the know about how to avoid BEC attacks due to phishing emails. It also helps your organization in demonstrating intent and compliance with various regulations in areas of cybersecurity, data privacy and breach notification.  

Following training, organizations need to identify which employees are at the highest risk of clicking on a malicious link in an email. For these “phish-prone” users, Pondurance suggests more frequent training and testing and, if that’s not enough, recommends restricting access and permissions to the bare minimum required for the job.

Conclusion

It’s important for organizations to protect themselves from BEC attacks on many different fronts. In addition to phishing awareness and training, these suggest several additional best practices, such as using endpoint protection, principle of least privilege, and continuous monitoring, to reduce the likelihood of an attack. 

BEC attacks are on the rise, and organizations need to know why these attacks happen and how to safeguard their valuable data. Check out the complete list of Pondurance’s best practices to protect your organization against a BEC attack.

Authors:

Max Henderson: Max Henderson is the Assistant Vice President of Digital Forensics and Incident Response at Pondurance. Max’s 10-year tenure at Pondurance has included casework featured on CBS’ 60 Minutes, while he also serves as a recurring speaker on cybersecurity at Yale University and as an expert contributor on cybersecurity to CNN. Max has earned advisory board status at SANS Institute for his exemplary scores on the GIAC Reverse Engineering Malware certification. Like many in DFIR, Max started and rose through the ranks from the Pondurance SOC and was the founding member of Pondurance’s DFIR practice. Max has contributed to various federal investigations and indictments related to cybercrime, which resulted from several hundred forensics investigations related to ransomware, BEC, nation-state-funded attacks, zero-day vulnerabilities, insider threats, and exert witness testimony for cases at trial. 

Dustin Hutchison: Dustin Hutchison is the Vice President of Services and Chief Information Security Officer at Pondurance. Dustin has over 20 years of experience in information security, risk management, and regulatory compliance. Prior to joining Pondurance, Dustin was a risk and compliance professional focusing on HIPAA, Payment Card Industry Data Security Standard, and risk assessments for new technology acquisitions ranging from infrastructure solutions to patient care devices. Dustin is also currently an adjunct professor at Ivy Tech Community College, Sullivan University, Embry-Riddle Aeronautical University, and University of the Cumberlands, teaching undergraduate through doctoral level technology and cybersecurity courses. Dustin’s Ph.D. dissertation topic focused on the adoption of cloud computing in healthcare.