1.0 IntroductionWelcome back to SecureSky’s series on Business Email Compromise (BEC) Attack and Detection!
In Part 1 of this blog series, we introduced BEC attacks, and discussed why BEC attacks are increasing. In Part 2, we used recent BEC investigations to discuss how BEC attacks work against O365 environments. In Part 3, we discussed key Office 365 (O365) configuration settings that organizations can implement to protect against BEC attacks. In Part 4, we discussed key logging and auditing capabilities in O365 that can help organizations detect BEC attacks against their environment.
In this post, Part 5 of the series, we discuss how employees can detect BEC attacks against their environment, as well as to identify situat
ions where a BEC attack has already been successful and an attacker may be accessing the user’s account.
The remainder of this series will focus on how employees can tell when they have been targeted by BEC (Part 5). The final post in this series will speculate about what the organizational structure of a BEC attacker might look like (Part 6).
2.0 Resources for Office 365 Security Configuration
This blog series is focused on Business E-mail Compromise. The recommendations provided in these blogs are BEC-focused and should not be considered to be comprehensive guidance for securing an Office 365 environment.
If you are looking for broader guidance for securing Office 365, refer to the CIS Benchmark for Microsoft 365, or to Microsoft’s Secure Score. If you require a third-party review of your Office 365 environment, SecureSky delivers Office 365 assessment and MDR services that help organizations secure, monitor and respond to threats against their Office 365 environment.
3.0 How to Identify BEC Attacks
Business e-mail compromise attacks are often sent from legitimate accounts, and can be extremely difficult to identify. They often will not include attachments, and do not require malware. Some indicators of BEC attacks include:
Normal Phishing Rules Apply
Many of the concepts users learn to identify phishing emails apply to BEC emails as well. These include:
- Confirming that recipients or reply to addresses are valid, and do not use phishing domains (e.g., confirm that email is going to intendeddomain.com, not intendedd0main.com).
- Only clicking on links that are trusted with absolutely certainty.
- Being aware of use of URL shorteners.
Two Office 365 configuration options can help users more readily identify potential phishing attacks – first is implementation of e-mail flow phishing protection (details of this setting were presented in Part 4 of this blog series – Configuration of Office 365 to Detect BEC Attacks). Additionally, implementation of Exchange MailTips can help users identify when they are sending e-mails to external addresses.
‘reply-to’ address doesn’t match ‘From’ address
Users should be aware of scenarios where an emails 'reply-to' address is different from the 'From' address - this is often a sign of fraud. For instance, if an email is from 'firstname.lastname@example.org', but the reply is being sent to 'email@example.com'.
Requests for payment remittance changes
Sudden changes to payment remittance details from commercial partners, such as requests that organization send payment to different bank accounts, or announces a change of address for payment, or a new company name to address payments to, are all signs of BEC attempts
Login required to access materials
BEC requests often steal login credentials by redirecting users to third-party sites in order to view work documents, such as invoices. As part of general awareness, users should always be suspicious when email links redirect to login pages, and should always confirm the authenticity of the site they are connecting to.
4.0 How to Recognize if you have been successfully targeted in a BEC attack
Because Business E-mail Compromise attacks are difficult to catch, users should also have awareness of indicators to look for if they have already been successfully compromised. Examples of those indicators are presented below:
Changes to Email Forwarding Rules
Unauthorized changes to email forwarding rules are a sign that a BEC attacker has compromised the account. Notifications such as the following in an account should be immediately investigated in the environment:
Unrecognized Messages in Sent or Deleted Items folder
Users should periodically check their Sent Mail and Deleted Items folders to confirm that messages in the folder appear appropriate. BEC actors will often send or forward messages to their own accounts from compromised accounts.
Undeliverable Messages of Unknown Origin Being Returned to Your Inbox
If a user notices one (or more probably groups) of undeliverable messages in their inbox, it is possible that a BEC actor has been sending bulk messages from their account.
Changes to Email signature or contact information
Unauthorized email signature changes (e.g., changes to the signature address or phone number) are also a sign that an attacker has accessed a user account and is changing settings to ensure that the attacker is the recipient of communications.