Business Email Compromise incidents

Published: 2018-05-18
Last Updated: 2018-05-18 00:23:45 UTC
by Mark Hofman (Version: 1)
2 comment(s)

Over the past 12 months we have seen a sharp increase in the number of incidents relating to the compromise of business emails. Often O365, but also some Gmail and on premise systems with webmail access.

The objective is simple, use the system to convince the organisation, or a customer of the organisation to pay a fake invoice and transfer the money overseas. The average net of these breaches is around $85,000, but there have been cases well into the 7 figures. So quite worthwhile for the attacker.  Most organisations are not set up to prevent or detect this kind of attack until it is too late. 

Whilst similar to whaling emails the approach is more thought out and structured. The attacks are typically targeted. There are two scenarios we usually see:

  1. Compromise victim company, identify invoices to be paid by the victim, spoof the company to be paid and convince the victim to pay to an incorrect account.
  2. Compromise victim company, identify customer invoices to be paid to the victim, Spoof the victim and convince customers to pay invoices into an incorrect account.

The steps in the attack are relatively similar:

  1. Send Spear phishing email to selected targets 
    • This will have been harvested from your web sites, linkedin or other social media. 
    • The email is often a “here is a document”, your o365/Gmail account password has expired, etc. Although we have seen incidents where the password may have just been a lucky guess.
  2. The victim “logs in” to the service, exposing their password.
    • In most incidents the owner of the mailbox can't rember. Check the proxy logs, you'll find the click. 
  3. Attacker logs into the victim’s email
    • sets up forwarding rules to an external email address and may also set up rules for emails with certain subjects or from certain email addresses to be sent directly to trash. 
    • Often the mailbox owner never sees any of the emails.
  4. The attacker monitors/searches the emails for opportunities.
    • They look for invoices recently sent, about to be sent or received or about to be paid.
  5. Change payment details
    • Emails are sent saying there is an issue or banking details have changed.
  6. Put on pressure to pay
    • We've seen emails being used in this, reaching out to multiple people in an organisation, but also actual phone calls. 
  7. Transfer money overseas. 
    • Usually we don't see this, but when talking to the banks usually we find the money has been transfered overseas. Lately however, they have been using several banks in Hong Kong and use swift payments to get the money overseas

Often other internal compromised accounts are cc’ed ,adding some legitimacy.  In several instances the attackers created a domain, web site and appropriate email addresses on a slightly different domain than the company whose invoice needed to be paid. This provided them with much more control over the conversation. Including a phone number to call in the event that there is a problem with the transfer. 

In several cases, once the payment detail notification was sent through, a follow up phone call is placed to make sure it sticks and of course also to head off the possibility that the victim company makes a verification call.  

There are a few opportunities to detect or prevent these kinds of attacks:

  • Prevent
    • Have a robust payment changing process – validate using details you have in your database and call them regardless of whether someone called you
    • Don’t pay to overseas accounts – especially when previous invoices were payed within the country.
    • Check previous payments - Where did they go, is this different, if so halt the payment. 
    • Disallow forwarding rules to external addresses – This won’t stop it, but does make it more difficult
    • Multi Factor Authentication (MFA) on mail 
  • Detect
    • Logins from locations other than your office
    • Logins where the IP address changes – we see many use open proxies when logging into a victim account. In logs that looks like the person travels rapidly across the globe.
    • Regularly interrogate rules created in the email product – this is often how we find the other compromised accounts. 

With some education of the accounts payables team, some log monitoring, MFA on mailboxes and some decent payment change processes this attack will be less effective and devastating.  


Mark H - Shearwater

PS if you have nice ways of detecting or preventing this kind of attack, by all means share. 





2 comment(s)


As an interesting twist, we've had two cases recently where one of my company's customers has been compromised, and they've also compromised their phone system. Calls to the customer from our business lines would either be forwarded or just ring, but a call from a personal cell phone would behave normally. It's getting tougher when "call to confirm" is broken.
Most of these I've seen involve posing as an exec and targeting the staff accountant or other person who is authorized to act on the bank account. Organizations should develop a policy that requires having a conversation (if everyone knows each other) or some escalation process that is difficult for an attacker to intercept to verify the authenticity of requests for money transfers. After all is established, executives should unambiguously and plainly declare to their employees that the policy is to be adhered to, regardless of what emails may say, and that employees will not face any repercussions for following the established policy, even if that means denying a funds transfer to an executive.

Also, your organization should know where emails on your domain are allowed to come from right? You probably did this for your SPF record. Configure your inbound mail servers to drop (or at least, flag the heck out of) any inbound messages from the internet that have your domain in any sender/from fields, except for those services you've explicitly authorized to send mail for your domain, like mailing lists, email marketing, and phishing training.

Diary Archives