This article was co-authored by Edward Le Gassick, Trainee Solicitor, London.
Business Email Compromises (BECs) were, according to statistics released by the Information Commissioner's Office (ICO), one of the leading types of cyber attack throughout the last quarter of 2022 and into 2023 in the UK. In recent months, we have seen an evolution in the strategies deployed by cyber criminals or 'threat actors' following unauthorised access to business email accounts.
To illustrate this emerging trend, this article includes an example of a BEC, highlighting the latest tactics being deployed.
Evolving strategies
Until recently, threat actors would ordinarily gain access to a mailbox - often via a phishing attack - and look for immediate ways to monetise the account without being detected. This often involved setting malicious mailbox rules to facilitate payment diversion by, for example, changing bank details within an otherwise legitimate invoice. Once successful, the threat actor would typically launch an onward phishing attack in the hope they can jump to another compromised mailbox as quickly as possible, and before containment steps are taken. This results in a relatively short window of compromise, with the impact being limited to malicious interaction only whilst the threat actor has remote access to the mailbox.
However, in recent months, we have seen a significant increase in malicious activity after the mailbox has been secured. We are now seeing threat actors download the content of the compromised mailbox as an immediate and deliberate step following access, before setting up a 'spoofed' account in a very similar name to the compromised mailbox user.
This new generation of BECs poses wider regulatory exposure to businesses. This is because the containment measures concerning the originally compromised mailbox will in large part be ineffective in preventing further malicious activity. In addition, once the content of the compromised mailbox has been downloaded, the threat actor will have offline access to any personal data in scope.
Example of a traditional BEC
For this illustrative example, we have used a fictitious surveying firm called Bricks789 Limited (Bricks) and Ben, their senior accounts manager.
Phase 1: Obtain access to the mailbox within the target organisation's domain
The threat actor has identified Bricks via online searches. They have established that Bricks will make daily payments to multiple vendors. Using LinkedIn and open-source online searches, the threat actor has identified email accounts for 12 of the 18 employees in Bricks' accounts team. They identify one of Bricks' clients from their website testimonial page, craft a fictitious but "urgent" email from the CEO of one of their leading clients and send it to all 12 of the identified employees.
Ben, a senior accounts manager, clicks a link in the email purporting to be an important document, inadvertently surrendering his login details to the threat actor. Although Ben's account has MFA (multi-factor authentication), the threat actor can bypass this and gains access to Ben's mailbox.
Phase 2: Initial reconnaissance and the perpetuation of the attack
The threat actor monitors traffic in and out of the mailbox. They then look to identify opportunities for fraud such as payments that may fall due. They also look to identify other contacts within the organisation to target for fraud and use sophisticated social engineering tactics to perpetuate their attack. During this period the threat actor also sets mailbox rules to disguise their activity from Ben and Bricks.
Phase 3: The threat actor attempts to orchestrate financial fraud against a third-party
Ben sent a chaser to his biggest client a few days before his account became compromised. This client owes Bricks £128,000 and their payment is overdue. Observing this during phase 2, the threat actor determines that this is the optimal time to strike. They attach a second invoice identical to Ben's but with slightly altered payment details. Several days later, the client brings up the most recent email from "Ben" which is actually from the threat actor using Ben's domain. As the payment is overdue, they rush to pay and inadvertently make the payment to the threat actor.
This is usually the end of a BEC. Ben will chase for payment again; the client will say they paid and it will become obvious that there has been a BEC and any unauthorised access is quickly contained. The client and Bricks will seek to recover the lost funds and make a notification to their cyber insurance provider (assuming cyber insurance has been purchased).
Secondary attacks – a new threat
During the reconnaissance phase of their attack, the threat actor has harvested a list of payments due and a list of Bricks’ clients.
The threat actor quickly sets up a new domain. Ben’s email is Ben@bricks.com, however, the domain bricks.co.uk is available and is quickly purchased. During their access to Ben's account, they create mailbox rules to forward all emails to this new spoofed account and hide their activity from Ben. The threat actor observes and notes Ben's activity and carefully notes any payments falling due.
After several days have passed, the threat actor uses this information to launch a series of further attacks against Bricks' clients. This includes orchestrating fraud and launching social engineering attacks against clients using information they have taken from Ben's account.
The threat actor can continue their attack by masquerading as Ben, even though access to his account is lost. This is in large part facilitated by the early download of data from the mailbox whilst initially undetected, which is then used to continue sending emails from a spoofed account.
Spot the difference?
If you were expecting an email from a trusted source, would you spot these subtle domain alterations? What about at the end of a busy week?
Legitimate |
Suspicious |
Jordan@shopping.com |
Jordan@shoƥping.com |
Joe@apple.com |
Joe@αpple.com |
Alex@government.com |
Alex@government.co.uk |
Sophia@charlesllp.com |
Sophia@charlesIIp.com |
Comment
Historically, once detection of malicious activity has taken place within the compromised mailbox, access can be quickly closed, limiting longer-term data protection issues. However, increasingly Kennedys' Cyber and Data Risk team are seeing threat actors leverage personal data that they have collected weeks or even months after the mailbox has been secured.
The latest iteration of the BEC is one of the most harmful variations we have seen. To mitigate the risk organisations must respond robustly where BECs are identified and seek professional support, in particular, to better understand their potential regulatory and data protection considerations.
Related item: MFA and data breaches… is Multi-Factor Authentication as safe as you think?