Identify and Investigate Business Email Compromise (BEC) Scams

What is Business Email Compromise (BEC)?

Business Email Compromise is an email-based phishing attack that specifically targets businesses and organizations to steal money, sensitive information, or account credentials. These attacks can be difficult to prevent as criminals may utilize social engineering techniques such as impersonation and intimidation to manipulate users.

Threat actors will often prepare for BEC attacks by first performing reconnaissance on their targets and uncovering publicly available data such as employee contact information to build a profile on the victim organization. Moreover, BEC attacks often focus on employees or executives who have access to more sensitive information or the authority to make payments on the organization's behalf.

According to the FBI, there are five major types of BEC scams:

• CEO Fraud: In this scenario, the attacker will pose as the company's CEO or any executive and send emails to employees, directing them to send money or expose private company information.
• Account Compromise: An employee's email account has been compromised and is used to send BEC scams to other organizations and contacts from the compromised account.
• Attorney/Tax Impersonation: The cyber-criminal will impersonate an attorney or other representatives from organizations like the IRS to scam employees. These attacks will attempt to pressure employees into acting quickly to avoid "official repercussions".
• Data Theft: Scammers may target employees in HR or those with access to employee information to obtain sensitive or private data regarding other employees and executives that can be used for future attacks.
• False Invoice Scheme: The attacker will spoof an email from an organization or vendor that the victim works with. This email may contain an invoice requesting payment to a specific account that the attackers control.

Example of BEC utilizing both the Impersonation and Fake Invoice tactics to coerce users

What is the cost of Business Email Compromise (BEC)?

Phishing attacks continue to be one of the most prevalent forms of cybercrimes targeting organizations today. A specific form of phishing known as Business Email Compromise or BEC has been especially lucrative for cybercriminals. According to the FBI's recent IC3 report, Business Email Compromise was responsible for causing over $1.8 billion worth of losses to businesses in 2020, which greatly exceeds the losses attributed to other more publicized forms of cybercrime like ransomware ($29 million).

As organizations move to adjust to the rise of remote collaboration and work, cybercriminals are evolving in tandem, with BEC attacks increasing in sophistication and frequency.

Identifying Business Email Compromise

There are multiple methods that cybercriminals utilize to convince users of an organization that their email is genuine, including Email Impersonation, Email Spoofing, and Email Account Takeover. Being able to identify these tactics will be vital for shielding your organization against business email compromise.

Email Impersonation is a common and simple tactic where the attacker will set up an email account that looks very similar to an actual business email account. The attacker's email address or display name will look nearly identical to an actual sender or account but may utilize spelling tricks or special characters from different languages to make the email look convincing.

This form of business email compromise relies on establishing trust with the victim rather than using malicious files and links to carry out fraudulent wire transfers or gather sensitive information.

Email Spoofinginvolves attackers forging the domain of their fake emails to look exactly like the domain of the targeted organization. By circumventing email authentication standards such as SPF, DKIM, and DMARC, attackers can spoof their emails to look like it's coming from a legitimate domain instead of the attacker's email server.

A misconfiguration of SPF and DMARC can allow attackers to spoof sender domains.

Email Account Takeover is a more advanced form of business email compromise that involves the attacker gaining access to a corporate email account. The attacker can obtain credentials via multiple ways, such as phishing or utilizing usernames/passwords exposed in previous breaches.

By using a compromised account as a foothold, the attacker can conduct reconnaissance on the victim organization by analyzing the account's contacts, emails, and conversations. The attacker will also likely establish forwarding rules to their own external email to gather information outside of the victim organization.

The attacker can now monitor new emails from partners and vendors and may be keen to look for messages regarding sensitive information and financial transactions. Once the attackers identify something of interest, they can embed themselves within an ongoing conversation and use other business email compromise tactics such as email impersonation and spoofing to manipulate the trusting victim to carry out a specific action such as wiring money.

A potential wire fraud tactic used by attackers involves stealing a copy of an actual invoice and modifying only the banking and routing information, leaving all else the same and sending that fake invoice to the victim. The recipient may not be able to determine if the invoice is tampered with and will send funds to the cybercriminal instead of the legitimate party.

Additionally, a compromised email account may exhibit any of the following indicators in Microsoft Exchange:

• Unintended profile changes such as modifications to the user's name and contact information
• Inbox rules that the user did not create, such as a rule that automatically forwards emails to folders like Notes or RSS
• Other users receive emails from the compromised account without those respective emails appearing in the Sent folder
• The user's mailbox has been blocked from sending email

If you are seeing examples of BEC such as users receiving spoofed emails with faked names and domains or creating strange forwarding or inbox rules, your organization may be targeted in a business email compromise attack. Investigating these suspicious events will be key to understanding the scope of this incident and beginning the remediation process.

Investigating Email Compromise in O365

After identifying the initial signs of business email compromise, it is recommended to investigate further by analyzing logs from the Exchange Admin Center as well as Microsoft 365 Defender and Azure AD.

We recommend using the unified audit logs within the Microsoft 365 Defender portal to review all activity from the suspected account starting from before the suspicious activity began to the current date. You can utilize several reports to assist with this investigation as well, such as the Compromised Users, Exchange Transport Rule, and Spoof Detection reports. With Azure AD logs, you can investigate and review authentication activity such as the related IP addresses, geolocations, and sign-in successes/failures.

Your initial investigation should involve analyzing audit logs to identify all the potential users that have interacted with the suspected email or compromised account. From this list of users, look for additional Indicators of Compromise (IOCs) such as suspicious login activity, mail forwarding or inbox rules, or any malicious attachments.

If a suspected malicious attachment was opened on the user's endpoint, you might need to check additional endpoint logging as well as any additional EDR or AV solutions you may have.

When investigating emails with potentially spoofed domains, you can verify the email header of these emails to identify information such as the true source of the sender. You can achieve this by opening the message in Outlook and navigating to File > Info > Properties.

Be sure to look for the following fields for useful data:

• Common Values – Common values include the From Address, Subject, Message ID, To, and Return-path address. For example - confirm if the From email address matches the display name.
• Originating IP – Originating IP can be used to identify the IP recognized on blocklists from previous incidents and determine geolocation.
• Spam Confidence Level (SCL) - SCL determines the probability of the message being spam.
• Authentication-Results – Authentication results for SPF and DKIM authentication methods.
  
  

Investigating Business Email Compromise with Varonis

There are multiple pre-built alerts that you can see in the Varonis Alert Dashboard or via email that may indicate an ongoing business email compromise attack. These include alerts relating to a user receiving an email with a suspected malicious attachment or an unusual number of emails sent to an individual recipient outside the company.

With Varonis, in addition to reviewing alerts, you can also gather more information around the incident by investigating the suspected users and their activity in both 0365 and on-prem resources.

To begin your investigation with Varonis, you should start by reviewing logs specific to Exchange on-prem or online.

Click "Analytics" in the Varonis Dashboard and then open a new "Events" tab. From here, select "Exchange Online" or "Exchange" in the Servers dropdown.

Configure the time range to just before you saw any IOCs, such as suspicious emails or user activity. Make sure to add the "Event Description" column for additional details by clicking on "Attributes" and by typing the event description in the newly opened window and selecting it.

Now that you are looking at all Exchange Online activity, you can query events using the search bar. For example, if you want to see all users that have interacted with a suspicious email, you can utilize the search function to look for all events relating to that specific email subject line.

Click on the search bar, navigate to "Event on Resource", and then enter the subject into the "Message Subject" field. Please note that you can select "contains" to do a more general search on key terms such as "wire" or "urgent", etc. Moreover, you can do the same search for attachments by utilizing "Attachment Name" or "Email Has Attachments". Make sure to keep an ongoing list of related IPs, usernames, and other identifying information.

Now that you have a list of users that have interacted with the suspicious emails or attachments, you can pivot your investigation to look at all other Exchange activity from these users. Add the specific user or multiple users to your search by utilizing the "Names" hyperlink under "Event by User" on the left side of the screen and select the users you want to investigate and click "Apply".

Be sure to clear out any other queries in the search bar except for the users before running the search to search more generally for all related Exchange activity.

Utilizing the "Types" hyperlink on the left side again, you can now see all the different event types associated with the users under investigation. Some event types to be aware of include:

• Message Moved/Deleted– An attacker may be hiding messages by deleting them or moving them into their RSS or Junk folders.
• Forward Rules Created – These rules can be used to move messages outside the organization automatically.
• Messages Sent as or on Behalf of– The attacker may be obfuscating their "From" field.
• Permissions or Mailbox Permissions added – The attacker may be looking to move laterally and compromise other mailboxes.

During a BEC investigation, we identified emails that were deleted without the user's knowledge

Once you've completed your investigation in Exchange, you can pivot your search to look for any suspicious user activity in other resources such as OneDrive and SharePoint, as well as on-premises resources like Active Directory and File Shares.

Add other resources to your search by selecting all servers in the server selection field. Be sure also to have the users you want to investigate in the search field.

By investigating other resources in Varonis, you can identify other indications of malicious activity outside of Exchange. For example, after compromising an account in Exchange, a threat actor may upload and share a malicious payload in SharePoint and OneDrive. Other unsuspecting users may receive a shared link for these files and inadvertently compromise on-premises resources with malware upon opening them. In other cases that we have investigated, attackers have leveraged compromised O365 credentials to download large amounts of data from SharePoint Online and OneDrive.

Understanding the scope of the incident, especially in terms of which network resources were utilized during the attack, will be a necessary step to ensure that the incident is contained and begin the recovery process.

Business Email Compromise Investigation Checklist

These elements can be challenging to keep track of during an investigative effort. Below is a short list of questions to guide the process and ensure the collection of the proper evidence to help during the remediation step:

First Contact / Point of First Entry

• Can we trace back to an original impacted user, original email, or vector of compromise?
• Was this original entry point part of a larger campaign? Can we find the original phishing email on anyone else's inbox, potentially exposing us to multiple entry points?

Persistency/Obfuscation Methods

• Do we see evidence of inbox rules or shared link creation?

Exposure Radius

• Did the initial compromise lead to further internal or external exposure? Did the external threat actor move laterally to other accounts via additional social engineering?
• Are the impacted users showing evidence of abnormal activity on their corporate devices? Have we seen evidence of movement from the cloud environment to the on-premise devices via malware or document sharing?

Impacted Data

• Can we develop an inventory of impacted data, shared links creation, data emailed externally, and audit activity on downloaded data from cloud drives?

Additional / External Systems

• Was this user also impacted on other cloud systems such as HR, Direct Deposit, or 401k Portals? Are audit logs for those systems available?

Tips for Remediation/Hardening

After completing the investigation and regaining access to the compromised account(s), it is highly recommended to take the following steps to prevent the attacker from regaining access in the short term. To supplement that, we have also provided recommendations on hardening your environment to protect against potential future business email compromise.

1. Reset the suspected or compromised accounts PW and their sessions to force re-authentication.
2. Clean up that compromised account's inbox configurations by removing any suspicious forwarding or inbox rules.
3. (Optional) Block access to this user from signing in and remove the user from all administrative role groups (if applicable) until it is safe to re-enable the account.
4. Verify other accounts that may have used this Exchange account as the primary or alternative email and repeat this process as necessary for those services.

Once these initial steps have been completed, you may want to take additional steps to harden your network to help prevent future similar incidents. For example, incorporating technical controls such as enabling Multi-Factor Authentication, blocking traffic from known malicious or suspected locations and IPs, or ensuring that email authentication standards such as SPF, DKIM, and DMARC are correctly configured can significantly reduce your attack surface from BEC.

Administrative controls like checks and procedures to prevent wire fraud can serve as a last layer of defense, preventing irreversible theft from the organization.

Additionally, ensuring that your employees receive the proper training around phishing emails can serve as a critical component of a complete security strategy. As a courtesy, we recommend reminding users to review personal security on their private email or social media accounts and ensure they aren't re-using passwords across different work and non-work platforms. Administrative controls by non-IT departments like additional accounting/payroll checks and procedures to prevent wire fraud can serve as a final defense against financial damage.

Business email compromise continues to be one of the costliest forms of cyber attacks targeting organizations worldwide. By implementing a layered approach in terms of cybersecurity controls and monitoring user activity in Exchange and other security solutions such as Varonis, you can improve your organization's security posture and safeguard your users against BEC and other forms of cybercrime.