Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community
Business Email: Uncompromised – Part One
Published Feb 23 2021 03:00 PM 21.3K Views
Microsoft

This blog is part one of a three-part series focused on business email compromise.

 

Business email compromise (BEC) is a type of phishing attack that targets organizations, with the goal of stealing money or critical information. BEC has become a top-of-mind concern for CISOs – according to the Federal Bureau of Investigation, in 2019, BEC was the costliest type of cybercrime, accounting for 50% of all losses worldwide. Since 2016, BEC has accounted for more than 26 billion dollars in losses. Large corporations to small businesses, all have fallen victim to these attacks.

 

At Microsoft we have been actively working to block these attacks and working to disrupt attacker networks that look to propagate such crime. Microsoft Defender for Office 365 provides industry leading capabilities to protect against these sorts of attacks.

 

So how do these attacks work? How can organizations best protect themselves? In this blog series, we will explore the evolution of BEC attack tactics, provide a refresher on existing and new capabilities in Defender for Office 365 that help detect these attacks, and best practices that customers should follow to secure themselves against BEC attacks.

 

Anatomy of Business Email Compromise Attacks

The classic form of business email compromise involves targeting a set of employees through emails that seem to come from an email address that visually looks like someone the employee should trust. Once the trust is established, unsuspecting employees can be asked to execute fraudulent wire transfers or asked to reply with critical information. Unlike other email-based threats, these attacks do not rely on malicious files or links and instead rely on deception of trust and can be highly effective.

 

Here’s an example of a BEC attack we have observed recently.

Figure 1: A real-world BEC attackFigure 1: A real-world BEC attack

At first glance, the email appears to come from the CEO to her employee and looks like a legitimate business email request for a payment. But upon further examination we detect that the sender is not the real CEO. The attackers use different techniques to make the email address look convincing.

 

Display name or From address look-alike (user impersonation)

Email clients use email properties like “Display Name” and “From Address” to show the sender of the email. Attackers forge these properties to make it visually look like a real sender. When we take a closer look at the below example, we see the mail came from a look-alike email address with a slightly different spelling.

Figure 2: User impersonation using a look-alike email addressFigure 2: User impersonation using a look-alike email address

 

Attackers often use spelling tricks or special characters to make the email name look convincing, and detecting these large number of possible combinations through naked eye or basic regular expressions (regex) can be quite challenging.

 

Domain address look-alike (domain impersonation)

In this technique, the attacker forges the email domain that visually looks like the domain of the victim’s organization or like the domain of one of their business partners. For example, in the below example, the email seems to come from a domain that looks like contoso.com but is spelled with a “zero” instead of an “o”.

Figure 3: Domain impersonation using a look-alike domainFigure 3: Domain impersonation using a look-alike domain

 

Exact Domain Spoofing

In this technique, the attacker forges the domain to look exactly like the domain of the victim’s organization or like the domain of one of their business partners.  Since they are exactly same, they make for a more convincing attack. Email protocols rely on email authentication standards such as SPF, DKIM, and DMARC to enable domain owners to “authenticate” their mails. If the domain does not configure these settings, they can be spoofed by the attacker to make an email look legitimate but will instead come from the attacker’s email server. In the example below, when we inspect the mail, the domain that the victim sees is contoso.com, but the actual sender is different.

Figure 4: Domain spoofing achieved through forgeryFigure 4: Domain spoofing achieved through forgery

 

We refer to these classic attacks as single stage attacks. We see attackers leverage one or more of the above techniques to impersonate/spoof executives, business partners, IT/HR staff and more. The email content can contain a basic request to purchase gift cards, request HR or financial data, or request to process an invoice with updated payment details.

 

Figure 5: Single stage BEC attacksFigure 5: Single stage BEC attacks

 

 

Now that we have reviewed the attack techniques, let’s take a closer look at how we can protect against them.

 

User & Domain Impersonation Protection in Defender for Office 365

Detecting user and domain impersonation at scale and in a fast-evolving attack landscape requires systems that can quickly understand relationships between senders and recipients, detect anomalies in those relationships and detect “visual similarity” across many possible combinations.

 

Configuring AI-powered and policy-based protections

Microsoft Defender for Office 365 does this by employing a capability called Mailbox Intelligence, an AI-powered technology that builds a communication graph of every user. Once enabled, this system continuously learns about a user’s email patterns and their communication graph. When a BEC email is received, the system automatically detects an anomaly against the user’s graph. It then runs a powerful multi-pass algorithm to detect “visual similarity” across a large combination of user and domain names.

 

Security administrators can configure user, domain, and mailbox intelligence-based protection settings in the Anti-Phishing Policy within the Security Center. Once configured, these capabilities protect all users in the organization from attacks looking to impersonate any of their communication contacts. In an environment where anyone in an organization can be targeted by impersonation attacks, organizations need this capability to protect all users in the organization.

 

Figure 6: Mailbox Intelligence uses AI to build a communication graph for every userFigure 6: Mailbox Intelligence uses AI to build a communication graph for every user

 

 

We introduced these capabilities in Defender for Office 365 in 2018 and we are constantly updating them based on the latest threat patterns.

 

Hunting for BEC Attacks (Coming Soon!)

Given the targeted nature of BEC attacks, security analysts are looking for additional ways to analyze and hunt for information about these attacks in their environment.

 

To further increase the efficiency of the response of SecOps teams to impersonation-based attacks, we are rolling out new pivots in Threat Explorer to enable your security analysts to hunt for user and domain impersonation attempts in your organization. Threat Explorer helps security teams investigate and respond to threats efficiently, and these new capabilities allow analysts to dive deeper into potential BEC attacks. The new pivots will help security analysts answer questions like “Who is impersonating my CEO?”, “who is being targeted?”, “is a protected domain of my organization being impersonated?” and “are we seeing any false positives?” Admins can also configure alerts to be notified and Threat Tracker queries to quickly discover new attacks.

Figure 7: Use Threat Explorer to hunt for impersonated usersFigure 7: Use Threat Explorer to hunt for impersonated users

 

 

 

Domain Spoofing Protection & Email Authentication Checks in Defender for Office 365

 

Preventing spoofing with email authentication standards

To identify spoofing attempts, email standards like SPF, DKIM, and DMARC are evaluated on every incoming message. Office 365 honors these standards for domains that have properly configured these settings. Emails that fail DMARC checks will be sent to quarantine or routed to junk mail. You can learn more about email authentication in Office 365, and its implications on spoofing here.

 

Spoof Intelligence to prevent spoofing attacks

While DMARC is a useful tool in the email ecosystem, despite its value, our service-wide telemetry indicates that a large number of the domains that send email into your organization have not implemented DMARC or may not enforce it. This leaves your organization vulnerable as these domains can still be spoofed leaving the door open to business email compromise. This is important – If your partners and vendors have not enforced DMARC on their domains, their domains can be spoofed by attackers in deceptive emails to your users.

 

To address this challenge, Defender for Office 365 and Exchange Online Protection (EOP) use an industry-first technology called Spoof Intelligence. It uses advanced algorithms to learn about a domain’s email sending patterns and can flag anomalies. And most importantly, through this approach using Spoof Intelligence, Defender for Office 365 and EOP also extend spoofing protections to domains that might not have implemented DMARC yet.

 

Both spoof protection capabilities are enabled by default and are being constantly updated to learn from latest attacks.

 

Coming up in Part 2….

BEC attacks can be fairly complex and look extremely convincing. And they can result in a lot of damage to organizations that don’t have the appropriate protection. In this blog, we’ve looked at one flavor of BEC attacks – single stage attacks. We have also seen how capabilities in Defender for Office 365, described above, prevent the core components of business email compromise. In the next blog post, we’ll dive into more advanced flavors of BEC attacks, and talk about the different capabilities in Microsoft Defender for Office 365 that help you prevent, detect, and respond to multi-stage BEC attacks. Stay tuned!

 

 

Do you have questions or feedback about Microsoft Defender for Office 365? Engage with the community and Microsoft experts in the Defender for Office 365 forum.

5 Comments
Bronze Contributor

Thanks for the comprehensive blog regarding the actual state of Business Email Compromise attacks.

 

In case the Spoof Intelligence service of Defender for Office 365 and Exchange Online Protection (EOP) detect a sender that might be impersonating a domain that's associated with the organization, a message is delivered to the user. Thank's for that functionality! I have two questions regarding that functionality:

1. Is it possible to change the impersonation recognition message, e.g. so an organization can tailor it to their company's tone of voice?

2. Is it possible for a company to create a list of "trusted" domains for which we don't want to display this message? This could be valuable for a sender domain that has not implemented DMARC yet, but the receiving company currently / temporarily accepts this domain. Therefore, the organization doesn't want the message for that domain to be displayed to the receiving user/employee.


 

Copper Contributor

Thanks. Appreciate that.

Microsoft

@Harold van de Kamp 

Thanks for the feedback, Harold! We are happy to hear that you find the safety tip useful.

  1. Currently, we do not support customization of this safety tip shown to the end users, however we would like to know what type of custom message you would like to show the end users (perhaps an example) and we can look into this in the future.  
  2. Yes, currently we support this such that an administrator can add “trusted” domains and senders to a list. Note, in this case the message will not be flagged as an impersonation at all and the safety tip message will not be shown on the email to the receiving user. Separately, you can choose to enable the Domain and User impersonation protection, so the messages get scanned for impersonation and yet can turn off the option to display safety tips to the receiver users.  
Copper Contributor

@Giulian Garruba do we have part 2 posted? My question is around how to read the audit logs when investigating BEC. E.g. mailboxlogin entry is registered, but no other actions performed - does it mean that email was not viewed nor accessed? Also, if we dont have E5 premium audit features, and cant see what mail item would have been accessed, can we somehow determine if an emailbox synchronization action occurred (mailbox copied for off-line use). 

 

Microsoft

@vladcraw the full series is available here: aka.ms/Uncompromised

Version history
Last update:
‎Jan 25 2023 09:57 AM
Updated by: