Nearly all forms of Business Email Compromise (BEC) attacks are on the rise, according to the fourth edition of Microsoft Threat Intelligence Cyber Signals published last week. In the latest Microsoft research for phishing protection, Microsoft Threat Intelligence Digital Crimes Unit (DCU) detected and investigated 35 million BEC attempts between April 2022 and April 2023, or 156,000 attacks every day. The FBI Internet Crime Report 2022 also found that BEC attacks were responsible for over $2.7 billion in losses last year alone.
Microsoft saw an increase in both the sophistication of attacks and the tactics used by adversaries in BEC attacks. Cybercrime-as-a-Service organizations enable advanced phishing techniques at scale for bad actors, allowing them to easily circumvent traditional detection methods like “impossible travel” flags and malicious URL detection.
According to the Microsoft Threat Intelligence Cyber Signals report, BEC attacks stand apart in the cybercrime industry for their emphasis on social engineering and the art of deception. The report goes on to explain that, rather than targeting software vulnerabilities, BEC attacks exploit the daily sea of email traffic to lure victims into providing financial information or taking action which unknowingly helps criminals perform fraudulent money transfers.
“You don’t have to use zero-day software exploits or novel offensive techniques to be successful. To compromise email, credential phishing, social engineering, and sheer grit is all that’s required.”
Simeon Kakpovi
Senior Threat Intelligence Analyst, Microsoft Threat Intelligence
Key Findings by Microsoft Threat Intelligence Digital Crimes Unit from April 2022 to April 2023:
- 35 million annual BEC attempts detected and investigated
- 156,000 daily BEC attempts detected and investigated
- 417,678 unique phishing URL takedowns
- 38% increase in Cybercrime-as-a-Service targeting business email [2019 – 2022]
- BEC threat actors increasingly purchase credentials and local IP addresses from end-to-end Cybercrime-as-a-Service (CaaS) providers to evade traditional detection methods
Top Targets for BEC Attacks:
- Executives & Senior Leadership
- Finance Teams & Management
- HR Staff with access to employee records (i.e. Social Security numbers, Payroll, and other PII)
- New employees less likely to verify unfamiliar requests via email
Top Trends for BEC Attacks in 2023 (January to April)
- LURE attacks (Legacy URL Reputation Evasion)
- Payroll/Invoice attacks
- Gift Card Requests
- Business Information Requests
Defending Against BEC Attacks – Microsoft’s Recommendations
The Microsoft Threat Intelligence Cyber Signals report discusses many best practices that organizations can implement in the fight against BEC, but their recommendations can really be boiled down into two key initiatives:
- Enhancing existing defenses through AI-based phishing protection
- Training employees to better spot BEC attacks in real-time
“While we must enhance existing defenses through AI capabilities and phishing protection, enterprises also need to train employees to spot warning signs to prevent BEC attacks.
”
Vasu Jakkal
Corporate VP, Security, Compliance, Identity and Management, Microsoft
Microsoft + Tessian – Better Together
Tessian’s Complete Cloud Email Security Platform is an ICES solution that defends against advanced email threats, protects your most sensitive data from being lost via email, helps security teams respond to email security incidents faster and more efficiently, all while coaching end-users to drive better security decisions in real time. Organizations leveraging Microsoft’s native email security capabilities along with Tessian find the most complete cloud-based AI-driven email security coverage for defending against BEC attacks.
Aligning with the recommendations in the most recent Microsoft Threat Intelligence Cyber Signals report, Tessian enhances Microsoft’s native email security capabilities by leveraging behavioral based AI detection for more effective prevention against social engineering attacks. Tessian also offers customizable, bespoke in-the-moment security coaching that encourages end-users to take a step back and consider the potential risks and costs associated with successful BEC attacks.
To learn more about how organizations are pairing Microsoft + Tessian for the most complete email security protection, download our Tessian + Microsoft 365 Solution Guide.
Bob Boyle
Product Marketing Manager II