Remember how all of those Nigerian rulers used to email you demanding large amounts of money? Of course, all you had to do was click that odd-looking link, give up your bank account information, and you’d be set for life.
(Finally, a compelling argument not to purchase any more Powerball lottery tickets.)
Well, that is some old-school version attack type that you can make a business email compromise.
While those noble Nigerian magnates have long since vanished, BEC has evolved into an even more devious and sophisticated machine over time, ensnaring even the most knowledgeable internet users.
Well, with that, attackers behind the BEC attacks got cleverer. Hence it is pretty hard for businesses to protect themselves from this fraud. Well, some noticeable signs can tell you that something is off.
What is a business email compromise (BEC)?
Before starting, you need to know what BEC is. It is a phishing scam that targets business executives and often involves a fraudulent offer or proposal. It is pretty similar to whaling (the targeted attacks against corporate C-level employees) and phishing.
For many of us, BEC is just linked to a wire transfer scam, but it is not just the email scam targeting the finance department. An organization’s IT department can also be a target of BEC scams. Now, you must be thinking if people fall for those shitty tricks? The answer is yes, and it happens more than you could think of.
Between late 2013 and early 2018, there were more thab 70K BEC events in the United States and abroad, with victims from over 150 countries and 50 states.
BEC fraud has become so widespread that it is now the target of several internal law efforts. The organizations like the FBI and the US Department of justices are working on this issue. The first-ever jury trial for BEC was held in the US last November.
A BEC takedown operation called Operation WireWire took place last summer, resulting in 74 arrests worldwide, including 42 in the United States. They seized almost $2.4 million and recovered roughly $14 million of fraudulent wire transfers.
Finally, the good news; there are several methods that you can use to detect BEC attacks and stop them. Three common categories of BEC scams
1. CEO Impersonation
The scam starts with attackers sending an email to the target spoofing as if it comes from the CEO or another executive. The message contains some important information that needs immediate action, like a request for approval of payment or wire transfers. The attackers use several social engineering tricks to convince the targets that these messages are legitimate and gain their trust.
2. Full Account Takeover
In this type of BEC, attackers will access all email and Office 365 credentials in the target’s account. They take over the control of the user’s mailbox. This allows them to send requests for wire transfers without being noticed by anyone from the organization. According to a study from IDG Communications, more than 56 percent of organizations were victims of a data breach caused by their vendors.
3. False Invoice Scheme
This type of scam typically targets accountants and financial departments. Advanced cybercriminals modify genuine invoices’ bank account numbers while leaving the rest of the document untouched. They make it quite difficult to detect that an invoice is phony. The possibilities are endless from there. Some attackers add cash to the payment amount or generate a twin payment, among other popular hacking methods.
How to spot (and alert on) BEC activity
We’ve seen threat actors reuse certain methods to gain and maintain access to victims’ mailboxes through the Expel SOC’s investigative work responding to many BEC activities in Office 365 (O365). Take a look at this recent case, in which a threat actor used BEC to get access to a victim’s mailbox, then set up mailbox Inbox rules that redirected any emails containing the terms “statement,” “outstanding,” “past due,” “payment,” or “wire” to a Gmail account.
The following are typical hallmarks of crafty BEC attacks, as identified by our SOC analysts at Expel using the Expel Workbench in recent months.
We’ll go through some of the tactics we observed attackers employing time and again in this post so you can protect your own firm/organization. If you want to query your tools for certain activities, we’ll also provide log samples and example SIEM queries (through Sumo Logic). Moreover, we are also sharing our thoughts on how likely these rules will generate false positives.
You might have noticed that widely used attack methods have a common theme: the development of new mailbox rules. Why are we so focused on inbox rules? Because these scam artists, in general, create inbox rules to conceal evidence that their victims’ mailboxes were being used to spread those crafty BEC schemes.
The good news is that since attackers employ this method so frequently, it offers a fantastic detection opportunity.
Here is some evidence of the BEC attack attempts. If you spot any of these, you should be alerted right away.
1. Inbox rules to automatically forward emails to any of the following folders: RSS subscriptions, junk email or notes
Inbox rules may be set to automatically forward emails to one or more of the following folders: RSS subscriptions, garbage email, and notes.
It has discovered from a recent research that the threat actor will automatically create forward email, containing the link of “WeTransfer” either in mail body or RSS subscription.
Log example:
"Operation":"New-InboxRule", "RecordType":1, "ResultStatus":"True", "UserType":2, "Version":1, "Workload":"Exchange", " { "Name":"AlwaysDeleteOutlookRulesBlob", "Value":"False" },{ "Name":"Force", "Value":"False" },{ "Name":"MoveToFolder", "Value":"RSS Subscriptions" },{ "Name":"Name", "Value":".." },{ "Name":"SubjectOrBodyContainsWords", "Value":"WeTransfer" },{ "Name":"MarkAsRead", "Value":"True" },{ "Name":"StopProcessingRules", "Value":"True" }],
Sumo Logic query example:
("\"New-InboxRule\"" OR "\"Set-InboxRule\"") AND "Name\":\"MoveToFolder\", \"Value\":\"RSS Subscriptions\""
Expected false positive rate: Low False Positivity Rate Expected: Low (Low means that you may include it in an alert management process without much customization.)
2. Inbox rules to automatically delete messages
We’ve discovered threat actors creating new inbox rules to silently drop any emails that include words like “virus,” “hacked,” or “hack” in the email subject or body, similar to folder redirection. You may begin by setting up an alert for inbox rules to delete messages with specific keywords automatically; however, we recommend monitoring any new inbox rule intended to remove communications instantly.
Log example:
"Operation":"New-InboxRule", "Parameters":[{ "Name":"AlwaysDeleteOutlookRulesBlob", "Value":"False" },{ "Name":"Force", "Value":"False" },{ "Name":"SubjectOrBodyContainsWords", "Value":"virus;hacked;hack;spam;request" },{ "Name":"DeleteMessage", "Value":"True" },{ "Name":"MarkAsRead", "Value":"True" },{ "Name":"StopProcessingRules", "Value":"True" }]
Sumo Logic query example:
("\"New-InboxRule\"" OR "\"Set-InboxRule\"") AND "Name\":\"DeleteMessage\", \"Value\":\"True\""
False-positive rate: Low
3. Inbox rules to redirect messages to an external email address
Rules in the inbox to send messages to an external email address
Using this approach, the message is not delivered to the original recipients, and no notification is sent to the sender or the original recipients. Threat actors have used inbox rules to redirect emails that contain words such as “statement,” “outstanding,” “past due,” “payment,” “invoice,” or “wire” to email accounts outside of their organization’s domain (for example, a Gmail account).
Log example:
"Operation": "New-InboxRule", "Parameters": "[\r\n {\r\n \"Name\": \"AlwaysDeleteOutlookRulesBlob\",\r\n \"Value\": \"False\"\r\n },\r\n {\r\n \"Name\": \"Force\",\r\n \"Value\": \"False\"\r\n },\r\n {\r\n \"Name\": \"RedirectTo\",\r\n \"Value\": \"<redacted>@gmail.com\"\r\n },\r\n "Name\": \"SubjectOrBodyContainsWords\",\r\n \"Value\": \"statement;outstanding;past due;payment;invoice;wire\"\r\n },\r\n {\r\n \"Name\": \"StopProcessingRules\",\r\n \"Value\": \"True\"\r\n }\r\n]",
Sumo Logic query example:
("\"New-InboxRule\"" OR "\"Set-InboxRule\"") AND "Name\":\"RedirectTo\""
False-positive rate: The false-positive rate: This alert is susceptible to false positives since it’s not unusual for users to forward work-related emails to a personal webmail account. If you’ve linked O365 with your SIEM, change the query or rule set to warn and blacklist known false positives if necessary.
4. Inbox rules that contain BEC keywords
By now, you should have a sense that using keywords to redirect emails is a popular technique. We’ve alerted threat actors whenever we discover any inbox rule created with a keyword in our BEC keyword list. The BEC keyword list includes:
- Virus,
- Dropbox,
- Password,
- Fraud,
- W2,
- Invoice,
- DocuSign,
- Deposit,
- Wire,
- Tax,
- Utilpro,
- Payroll,
- Postmaster
Sumo Logic query example:
("\"New-InboxRule\"" OR "\"Set-InboxRule\"") AND ("wetransfer" OR "document" OR "invoice" OR "postmaster")
False-positive rate: Low
5. New mailbox forwarding to an external address
New mailbox forwarding to an external address
This is an example of a simple mailbox forwarding rule. Threat actors commonly create new mailbox forwarding rules to redirect emails to their accounts.
Log example:
"Operation":"Set-Mailbox",{"Name":"ForwardingSmtpAddress","Value":"smtp:<redacted>"},{"Name":"DeliverToMailboxAndForward","Value":"True"}],"application-action":"Set-Mailbox","triggered-by":{"app-username":",<redacted>","privileges":[{"level":"admin"}],"new-values":{"additional-properties":{"DeliverToMailboxAndForward":"True"},"forward-to-address":"smtp:<redacted>"
Sumo Logic query example:
("\"New-InboxRule\"" OR "\"Set-InboxRule\"" OR "\"Set-Mailbox\"") AND "Name\":\"DeliverToMailboxAndForward\""
False-positive rate: False positives are possible since it’s not unusual for users to forward work-related emails to their webmail accounts. If you’ve linked O365 with your SIEM, update the query or rule set to notify and remove known false positives if necessary.
6. New mailbox delegates
6. New mailbox delegates
The mailbox delegate access rule looks for attackers who gain access to a victim’s account by using mailbox delegate permissions. Take a look at this past example of a BEC threat that one of our clients recently discovered, in which suspicious mailbox permissions were used:
Log example:
{"Name":"AccessRights","Value":"FullAccess"},{"Name":"InheritanceType","Value":"All"}]"application-action":"Add-MailboxPermission","status":{"code":"Success"}
Sumo Logic query example:
("Add-MailboxPermission") AND "Name\":\"AccessRights\"" AND "Value\":\"FullAccess\""
False-positive rate: As we saw in the previous alert, the JIRA Activity panel isn’t flawless. We’re now up to 14 domain alerts, and each has its own set of strengths and drawbacks. This alert is also vulnerable to false positives since it’s not unusual for businesses to grant access to high-ranking workers’ mailboxes and calendars so they may schedule meetings and travel. You’ll need to customize this a bit based on your situation.
7. Understand the conditional access policies that denied logins with minutes
Understand the conditional access policies that denied logins with minutes
With the help of Azure AD and O365, one can easy implement conditional email access to deny suspicious logins from any source IP or country. Always remember, conditional access to emails are only enforced after the authentication.
A failed login from a foreign country was recorded due to a conditional access policy in the example above. Unfortunately, using a virtual private network (VPN) service provider is possible to circumvent this.
An example from a recent study, in which an attacker was able to bypass conditional access rules simply by turning on their VPN. login failure due to a conditional access policy restricting authentications from a list of foreign nations was logged at 22:17:40 UTC. Minutes later, O365 records show that a well-known virtual private network (VPN) service provider
If you’re sending or using logs of O365 to your SIEM, you can fire an alert if O365 records a successful login within minutes of a failed login. You can also send an alert if O365 records a successful login originating from a virtual private network service provider within minutes of a failed login.
Start by looking at logins that fail due to any existing conditional access rules to understand better what’s going on in your environment if you don’t have an easy way to do it
You found a lead. Now what?
What would be the next step? In case you detect something that doesn’t look right, here are some mindful tops to chase down a potential lead into BEC activity:
Identify the source of the activity
When you’re trying to figure out where a fraudulent mailbox Inbox rule or a standard email delegate came from, look for the originating IP address used when the action in question was completed. Then consult your resources for additional information about the IP address, such as class and location data.
This will tell you whether the IP address in question is associated with an internet service provider (ISP) in your organization’s area or a VPN service provider range, as well as which country it is located in based on GeoIP records.
Review login activity for the user
It’s advisable to monitor and review login activity for at least 30 days. This study will assist you in determining whether the user logs into O365 from the IP address at issue regularly. Examine user-agent records to see which operating systems and browsers are most frequently used.
Do you notice a login from an unusual IP address known to be using a version of Google Chrome running on Windows when the user normally logs in from a fixed ISP line with a version of Chrome on macOS? Don’t forget to verify the abbreviation in case of confusion.
When pursuing strange O365 activities, we apply the same logic in Expel Workbench, where we may take advantage of automation to accelerate things up. Take a look at this example, which shows us how to swiftly evaluate 30 days worth of login activities based on IP address and user-agent combinations with the help of some automation
Review mailbox activity for the user
This would be a great first step if your initial lead into possible BEC activity were, for example, a suspicious login to an account created through a VPN provider. With O365 mailbox auditing enabled, check the user’s email history for signs of the threat actor methods we described above.
Don’t be scared to go through 30 days’ worth of mailbox activity. Is the user account in question known for giving inbox permissions or creating inbox rules to help manage their email? Context is critical..
Review login activity for the IP address
The next step is to analyze 30 days’ worth of login activity for the IP address in question. Do you see successful logins from the IP address into multiple accounts? Or do you observe activity in one user account? You’ll have greater context if you review login activity from the IP address in question.
This is also a great scoping action if the threat actor uses the same IP address to access many accounts.
Scope and pivot!
Finally, using the investigation technique, you may establish new BEC leads like new connection from an external IP address being used to authenticate into victim mailboxes or an inbox rule that silently deletes any documents with the word “document.” Make sure they’re followed upon.
Let’s suppose you discovered a BEC threat actor authenticating into a victim’s mailbox using a well-known VPN service provider. Set out how many additional accounts the predator accessed from the VPN service provider with this information in hand.
Another example is this: if you know the dangerous actor is creating inbox rules to silently delete messages, look for O365 logs that show similar behavior for any other account. And what about new leads? Investigate them!
How do I get started?
Here are a few pro tips to get you started with taking advantage of the alerting possibilities we discussed earlier:
- Enable mailbox auditing in O365. In-Office 365, you may enable mailbox auditing. Microsoft is undergoung a process of enabling mailbox auditing by default for all of its business users. Still, it’s a good idea to double-check that your company’s mailbox auditing settings are correct. You’ll have access to information on how people log in to their mailboxes and what they do after they’ve been phished. Not sure how to turn on mailbox auditing? Simply follow these simple steps.
- Integrate O365 with your SIEM. Integrate O365 with your SIEM. By completing this step, you can centralize alerts generated by O365 into the same workflow you already have in place. Here are step-by-step instructions on how to link O365 with your SIEM.
- Or we can also use this for you if you are looking for a more easy-peasy option.
Do you have any more questions about BEC? You can leave us a note as we are available to talk anytime!