Business Email Compromise: Preventative and Remedial Measures - Cyber and Fraud Centre

At the Cyber and Fraud Centre, we provide an Incident Response Helpline to support organisations that have fallen victim to cyber attacks or financial fraud.

One of the most commonly reported incidents is Business Email Compromise (BEC) attacks. In almost all cases, multi-factor authentication was not enabled. Some organisations only became aware that they had a compromised account when they discovered irregular bank account transactions.

If the motivating factor behind a BEC attack is financially motivated, then the threat actor will usually make it worth their while. Five-figure sums were transferred in each successful attempt reported to us this year. This ensures a nervy process of attempting to understand whether the funds can be recovered. In some cases, the transactions cannot be reversed.

One of the reasons why these attacks are so common is that for a threat actor to be successful, they do not necessarily need to invest a significant amount of time and resources for the reward. This makes BEC relatively cost-effective when considering other attack types requiring more significant overheads, such as malware development for phishing campaigns or attempting to exploit vulnerabilities within an organisation’s externally exposed infrastructure.

By compromising an email account, the attacker will be in a position where they can exfiltrate information from the organisation by accessing the victim’s mailbox, resulting in a loss in the confidentiality of the information it stores.

It also allows the attacker to impersonate the account’s owner, making it very difficult for recipients of emails originating from the compromised account to distinguish legitimate requests from fraudulent ones. In such cases, the only factor that may alarm recipients about this behaviour is that the request may be out of context or abnormal.

This blog intends to raise awareness of BEC attacks and how to deal with this type of incident. It may also help identify whether any security controls are absent and if there are any missed steps in an organisation’s Incident Response Plan.

Impact

In addition to the scenarios described above, an organisation that falls victim to this type of attack may suffer from the following:

Data Loss/ Exfiltration – Exfiltration of sensitive information, such as personal details, intellectual property, financial information or supply chain details.
Financial Loss – Business Email Compromise (also known as Payment Redirection Fraud), whereby an attacker conducts fraud by manipulating bank details or requesting payments.
Onward Access (Lateral Movement) – Compromise of additional services by authenticating as the controlled account for broader access or leveraging current access as a stepping-stone to target internal or external contacts.
Reputational Damage – The attacker either intentionally or unintentionally causes embarrassment to the victim’s organisation.

Initial Access

To compromise an unprotected email account, an attacker only requires two parameters; username and password. The first component is the easiest to acquire. An attacker can research the target organisation and its employees. To identify the password used to secure an account, threat actors may explore the following techniques:

Brute-Force: An attacker attempts to exhaust a list of common passwords against an account.
Password Guessing: An attacker expends effort up-front, specifically researching specific individuals to identify passwords they may use based upon their interests or other publicly available attributes, such as social media.
Password Spray: An attacker attempts to log into an account using a statically probable password which conforms to the bare minimum complexity requirements of the password policy (such as ‘Winter2021!’ or “CompanyName1!”) across email addresses which are collected from websites or other areas.
Credential Stuffing: An attacker capitalises on weak security controls implemented by third parties. The victim also re-uses the same password used to secure their email address with another service. Attackers will often research credentials derived from data breaches.
Credential Theft: An attacker sends a phishing email to the victim, impersonating a service they would typically interact with and harvesting the credentials sent to a resource they control. Alternatively, they could attempt to induce the user to execute malware which is designed to steal credentials

Containment and Recovery

Many organisations tend only to identify an account compromise when an external party notifies them. Implementing proactive monitoring controls (as discussed within the detection section) is possible, but this is not feasible for many small organisations.

If an account is identified to be compromised, the following actions should be considered:

Temporarily Disable the Account and Invalidate Existing Sessions: Inactivate the account until it is possible to communicate with the victim. If appropriate, ensure that any existing session tokens are forcefully expired so that existing login sessions are invalidated to prevent an attacker from maintaining temporary access until the session cookie expiry (after a password change).
Debrief with the Victim: Discuss whether the victim has observed anything suspicious recently. This may help identify other affected accounts or provide context and justification to investigate an endpoint compromise or a credential harvesting phish that may have been targeted at different users. It is important to have this conversation without victim shaming:
- Employees should be educated to avoid performing risky actions but encouraged to raise the alert to mistakes made. In environments that do not have the maturity and resource to detect compromises proactively, the employee may be the earliest and the only alarm available to notify you.
Implement Multi-Factor Authentication: Any internet-facing service should be configured to authenticate an individual with more than just a username and password combination alone. An additional form of authentication should be used, such as Hardware Token, App or SMS
Password Changes: The account’s password should be changed as soon as possible; NCSC guidance recommends a password consisting of three random words. The victim should also be advised to change the password for additional accounts where they may have re-used the password.
Review Mailbox Forwarding Rules: Mail forwarding rules can be used by an adversary to persist after remedial action (such as a password change or MFA enablement). This can sometimes be abused to maintain access to information, such as password reset emails for other services, which are then forwarded to an attacker-controlled mailbox.

Reporting

Upon identification of a Business Email Compromise account, external parties may need to be contacted dependent on the scenario:

In line with GDPR and the Data Protection Act 2018, the Information Commissioner’s Office (ICO) should be notified in the event of a data breach where appropriate. Other regulatory bodies may require notification, dependent on the industry in which the organisation operates.
Where there has been financial loss, the victim organisation must contact Police Scotland on the non-emergency contact line 101 to report the incident, as well as the financial institution that the funds were stolen.
The insurance provider should also be notified if the organisation has cyber insurance.
Dependent on the circumstances, there could be other victims (supply chains, clients and customers, other businesses) of the attack due to the threat actor obtaining access to information intended to be private within emails.

Basic Prevention

To increase an organisation’s resilience to this type of attack, we recommend reviewing whether the following remedial action would be appropriate to implement:

Configure a Robust Password Policy: A password policy that implements a minimum password length of 8 and requires this to be changed every three months is more likely to result in users choosing poorer passwords than a 14-character password changed yearly.
Implement MFA: The most effective method for preventing account compromises. Research by Google in 2019 identified that 100% of automated account takeovers could be prevented when any form of MFA was implemented.
Password Managers: A password manager is a utility that generates and stores passwords. As the burden associated with remembering passwords is removed from the individual, unique and complex passwords can easily be copied and pasted to services. There are online-based password managers and those that store the credentials locally on the system.
Corporate Website About Us Pages: The organisation may wish to reduce the amount of publicly available information about their employees, such as their email addresses and interests, as this can be useful for social engineering and information gathering. This information can typically be gathered from other resources; however, not as quickly.
Implement Robust Processes for Financial Handling: Organisations should consider implementing the anti-fraud advice outlined in this article for verifying transactions. This includes enabling a multi-factor authentication procedure for standalone payments and verifying transaction details against previous or retained records to identify discrepancies.

Detection and Analysis

Depending on the email service supplier, organisations can implement proactive detection mechanisms for identifying account compromises as they occur.

Email service solutions such as Exchange and Google Workspace all record details associated with an email account’s activity for varying periods.

From the logs, it is possible to extrapolate details which can be evaluated by rules to identify compromised accounts. Controls which monitor for the following can help identify accounts which are compromised to help reduce the impact:

Multiple IP addresses accessing the same account
The same irregular IP address accessing multiple accounts
Accesses from unlikely or suspicious geographical locations
Numerous login failures, followed by a successful login

For organisations using M365 services, consideration should be given to enabling Unified Audit Logs. This feature is enabled by default for enterprise organisations. Still, we recommend double-checking that the feature is enabled, as it will not be possible to access logs retrospectively if this feature is disabled. These can be particularly useful for identifying whether an attacker has authenticated to other Microsoft services, such as Teams and SharePoint, beyond Outlook.

Organisations with the appropriate licensing can also review audit trails to understand what emails a threat actor accessed upon compromising an account. Upon investigating MailItemsAccessed records, which log IP address, username, timestamp and session information, inspecting bind and sync MailAccessType operations will be possible.

The bind operation details where an individual email has been accessed, whereas a sync operation denotes the download of a large volume of emails, synonymous with synchronisation when using the Outlook application to populate emails within the client. Attackers commonly perform a sync operation to access the entire contents of the mailbox. At that point, it can only be assumed that there is a complete loss of confidentiality.

A Final Word

Many more organisations are expected to continue to fall victim to this type of attack until vendors implement the most secure default settings, such as mandatory MFA.

Until then, an organisation’s nescience to improve upon the default configuration ultimately means that their primary defence from an email account compromise is likely reduced to the trust bestowed upon employees to make effective password choices and their resilience to interacting with malicious emails or web pages.

The information presented in this blog is intended to be generic, and additional factors in each scenario may require further investigation. If you have been affected by a cyber incident, please contact our Incident Response Line on 0800 1670 623 for assistance.