Business email compromise: How Microsoft is combating this costly threat

Amongst all cybercrime, phishing attacks continue to be the most prevalent today. With over 90 percent of attacks coming via email, it’s important that every organization has a plan to prevent these threats from reaching users. At Microsoft, we’re passionate about providing our customers with simplified and comprehensive protection against such threats with Defender for Office 365. Earlier today, we announced that Microsoft is positioned as a leader in The Forrester Wave™: Email Security, Q2 2021. This represents the latest validation of our relentless effort, strategy, and focus to keep our customers secure and offer industry-leading protection against threats orchestrated over email and collaboration tools.

One such threat that has been making waves recently is a class of phishing attacks called business email compromise (BEC). BEC is also proving to be one of the costliest flavors of attacks to organizations—the Federal Bureau of Investigation’s Internet Crime Complaint Center (IC3) recorded almost 20,000 complaints of business email compromise in 2020 alone, with adjusted losses of over $1.8 billion according to their recent IC3 report. What’s more, BEC attacks continue to increase in scope and sophistication. No wonder then that business email compromise is a top concern for CISOs across the globe, especially in a climate where remote work and collaboration have increased significantly.

We at Microsoft share that concern. And that is why we’ve been working aggressively to protect customers by detecting and blocking such attacks through innovation in our products and by staying ahead of current and future threats through research. Additionally, through the Digital Crimes Unit at Microsoft, we have been working to disrupt and thwart such attack networks in partnership with law enforcement.

What is business email compromise?

The term itself has seen an evolution over the years, but quite simply business email compromise (BEC) is a type of phishing attack that targets organizations with a view to steal money or sensitive information. At its core, it’s a social engineering attack, where the attacker looks to dupe the target into believing that they are interacting with a trusted entity. Once they have deceived their target, the attacker proceeds to coax them to share valuable information or process a payment.

These attacks are sometimes referred to as ‘CxO Fraud’ or ‘vendor compromise,’ taking the name of the entity the attacker is claiming to be.

How are these attacks orchestrated?

BEC attacks are so dangerous and costly that we recently devoted an entire blog series to this topic in an effort to raise visibility and help protect customers. The blog series covers the various types of tactics used in BEC attacks and the different levels of sophistication we see in these attacks. But I’ll summarize some top takeaways here:

Generally, the attacker uses one of the tactics below to dupe a target.

• Look-alike tactics (like domain or user impersonation):
  • For example, the attacker can forge the email properties of an email to make the sender appear to be a trusted entity. They can achieve this by using the same display name, even if using a different address. Or they can choose very subtle changes in the user part or domain part of the email address to make the email appear visually similar to a trusted email address, such as CEO@micros0ft.com (notice the ‘0’ instead of ‘o’—which upon cursory inspection, might not be obvious to the target).
• Exact-domain spoofing:
  • In this case, the attacker forges the email to use the exact same email address as the ‘trusted entity’—but sent from an email infrastructure they own. This is made possible by improperly protected domains (Email domains without domain authentication standards like DMARC enforced).

To learn more about these attacks and how they work, check out the first blog in our recent series.

What is Microsoft doing to combat security threats?

Microsoft has been working on a multi-pronged approach to keep customers safe. One that leverages our massive scale of optics and signals across our service portfolio to drive advancements in three dimensions:

• Product innovation.
• Research focus to keep track of ever-shifting campaigns and strategies.
• Fighting crime and taking down attack networks.

Product innovation in Microsoft Defender for Office 365

Defender for Office 365 offers customers unparalleled protection from business email compromise and other attacks such as credential phishing, whaling, malware, ransomware, and much more that might be orchestrated over email or other collaboration vectors. In an era of ever-increasing cybercrime, protection from such attacks is critical for organizations to safeguard their users.

The massive scale of protection offered means that each month Defender for Office 365 detects and blocks close to 40 million emails containing BEC tactics. We block 100 million emails with malicious credential phishing links each month. And each month, we detect and thwart thousands of user compromise activities.

This level of protection is paired with innovative and comprehensive product capabilities that span the different spheres of protection captured below—blocking and detecting threats, maximizing the efficiency and effectiveness of security teams as they investigate, hunt for and respond to threats, and focusing on capabilities that help raise end-user awareness and preparedness for these social engineering attacks. All of these play a critical role in protecting organizations from BEC attacks. To learn more about these capabilities, check out the second blog from the BEC series.

Figure 1:  Microsoft Defender for Office 365 capabilities

Research powered by human intelligence and artificial intelligence

Across Microsoft’s portfolio of security products, we process trillions of signals every single day. This massive signal base drives constant improvements to the artificial intelligence layers backing our protection and detection systems. We pair that with our top-notch dedicated research teams. This human intelligence layer of the Microsoft 365 Defender Threat Research team leverages these signals to track actors, infrastructure, and techniques used in phishing and BEC attacks to ensure Defender for Office 365 stays ahead of current and future threats.

Our most recent research into BEC provides an investigation of a campaign that uses attacker-created email infrastructure to facilitate monetary theft through gift cards. To learn more about this campaign, read the blog post we published.

Fighting cybercrime—Digital Crimes Unit

Microsoft’s Digital Crimes Unit (DCU) focuses on fighting cybercrime through a combination of technology, forensics, civil actions, and partnerships with law enforcement, often involving criminal case referrals. DCU actively tracks and takes down cybercriminals and the infrastructure they use. A good example of this is how Microsoft took legal action against COVID-19-related cybercrime.

In 2020 alone, DCU’s efforts led to the removal of almost 745,000 phishing URLs and the closure of more than 3,500 malicious email accounts.

Take steps now to protect your organization

Fighting cybercrime and eliminating costly breaches is going to take all of us. At Microsoft, we’ll continue to focus on the pivots we covered above to keep our customers protected. But to supplement that, it’s important that each and every organization take the threat of business email compromise seriously. CISOs need to ask themselves: Do we have the right level of protection against these attacks?

In the third blog of the series, we’ve included a set of recommendations that you can take to protect yourself now. These are important measures to take to protect your users against a possibly expensive breach:

1. Upgrade to an email security solution that provides advanced phishing protection, business email compromise detection, internal email protection, and account compromise detection.
2. Complement email security with user awareness and training.
3. Implement multi-factor authentication to prevent account takeover and disable legacy authentication.
4. Review your protection against domain spoofing.
5. Implement procedures to authenticate requests for financial or data transactions and move high-risk transactions to more authenticated systems.

Learn more

To learn more about Microsoft Security solutions visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.