July 13, 2022

Investigating Business Email Compromises

In today’s business world there may be few systems more integral than email, even more so since COVID-19’s impact on remote work policies. When threat actors devise plans to achieve their goals, whether financially or politically motivated, they often go after the low hanging fruit. Since email is so often used as a vehicle for important and urgent communications, as well as unofficial storage of information, it is a perfect target for threat actors to gain access and obtain their goals. The industry term for this type of attack is Business Email Compromise (“BEC”) and it takes a distinct methodology for investigating this type of intrusion.

At the onset of a BEC detection, there are two main priorities: first, to maintain all appropriate logs, and second, to determine how to expel the threat actor from the known compromised accounts. All too often we find clients have not properly enabled or set retention policies on their email systems to properly investigate the threat actor’s actions, one of our recent blog posts speaks to the importance of logging. While this is becoming increasingly rare, it is more common with cloud tenants such as Microsoft 365 or Google Workspace where the logging level and retention policy defaults may be less than the recommended standards or can be constrained by limitations based on licensing. Thankfully cloud providers are continually making changes to allow their clients a better response in these types of incidents. Below is an example of Microsoft 365’s Audit Retention Policy menu for creating custom policies.

Once a BEC is detected, due to an automated alert, notice of a fraudulent funds transfer, or a user reporting anomalous activity on their account, the responding team should immediately prevent continued access to any/all known compromised accounts. Depending on the situation, these actions could include rotating credentials, disabling the account(s), revoking active sessions, enabling multifactor authentication, or more. Whether or not the threat actor’s initial actions can be identified due to logging constraints, the subsequent investigation will identify valuable Indicators of Compromise (“IOCs”) which allow for identification of additional compromised accounts. From here, there is a “rinse and repeat” method until all compromised accounts have been triaged.

More often than one might expect, victims of BEC fraud will initially question the need for a full investigation citing “they already took $XXX, why do I need to know how they did it?” But more often than not the IOCs found while investigating the BEC will help uncover other actions taken by the threat actor. The very nature of cloud productivity tenants (e.g., Microsoft 365) is to have everything in one place, which consequently means behind one set of credentials. If a threat actor gains access to an account’s email, they also could have browsed the storage or collaboration environments that account has access to. If a threat actor had access to this information, and exfiltrated to their environment, it could potentially lead to a follow-up ransom demand or need for notification to clients/employees per regulatory requirements.

While ransomware is certainly a concern due to its disproportionate impact on organizations, the FBI’s most recent report on internet crime1 (screenshot above, emphasis added) shows that BEC losses are still the leading cause of financial losses, by a sizable margin. As with any information security threat vector, there are tools and methods for preventing accounts from being compromised as well as for minimizing the impact through alerting and responding should an intrusion take place. Once the defenses are in place, it is also important to test the user base with phishing tests and accompanying security training. At MOXFIVE we can assist with all of the above, but preparing for a BEC avoids a lot of the heartburn from responding to one.

For more information or if you need help with a current incident, contact MOXFIVE at ask@moxfive.com or use our Contact form.

1 FBI Internet Crime Report 2021 https://www.ic3.gov/Media/PDF/AnnualReport/2021_IC3Report.pdf

Thomas Aneiro

Thomas brings a combination of operational and defensive security expertise in a wide range of environments, both in a consulting and internal capacity, to the MOXFIVE team. Thomas has supported companies ranging from Fortune 100 to small, privately-owned businesses and his history understanding complex technical problems and creating agile solutions is an asset to any organization’s team assisting their organizational capabilities.

Experts predict there will be a ransomware
attack every 11
seconds in 2021.
from Cybercrime Magazine
Our mission is to minimize the business impact of cyber attacks. 


Incident Response

MOXFIVE provides the clarity and peace of mind needed for attack victims during the incident response process. Our platform approach enables victims of attacks to work with a Technical Advisor who provides the expertise and guidance needed in a time of crisis, and facilitates the delivery of all technical needs required, consistently and efficiently.

Learn More

Business Resilience

With experience on the front lines responding to incidents daily, MOXFIVE Technical Advisors have the unique ability to connect the dots between business, information technology, and security objectives to help you quickly identify the gaps and build a more resilient environment.

Learn More