Microsoft Warns: Business Email Compromise Attacks Can Happen in Just a Few Hours

Published by Ari Denial on Mar 6, 2023

Microsoft’s Security Intelligence team recently conducted an investigation revealing that threat actors conducting Business Email Compromise (BEC) attacks are operating at a faster pace. The study showed that the entire BEC attack process can now be executed within a few hours, likely aimed at reducing the chances of the victims detecting the attack and taking the necessary measures promptly.

The swift progression of these attacks ensures that targets have limited time to identify signs of fraud and take appropriate measures to prevent them.

The attacker gained access to the victim’s account and spent two hours scouring the mailbox for suitable email threads to hijack.

Hijacking email threads is an effective technique as it makes the fraudulent message appear like a continuation of a legitimate communication exchange, leading the recipients to trust it more.

Subsequently, the attacker registered deceptive domains by using homoglyph characters to make them look nearly identical to the websites of the target organization and the impersonated partner. Within five minutes, the attacker set up an inbox rule to divert emails from the impersonated partner organization to a designated folder.

Within the following minute, the attacker sent a malicious email to the business partner, requesting a wire transfer instruction change and promptly deleted the sent message to minimize the chances of the compromised user discovering the breach.

The entire process, from the initial sign-in to the deletion of the sent email, took a total of 127 minutes, indicating a sense of urgency on the attacker’s part.

According to Microsoft, their testing and evaluation of BEC detections and responses in customer environments, when faced with real-world attack scenarios, demonstrated that dozens of organizations had better protection when accounts were automatically disabled by Microsoft 365 Defender.

Microsoft states that their new automatic disruption capabilities provide the SOC team with complete control to investigate all actions taken by Microsoft 365 Defender, and if necessary, remediate any remaining impacted assets.