Trend Micro Incorporated : Analyzing Email Services Abused for Business Email Compromise

Figure 17. A BEC email sender using separate words or letters in the subject line. Screenshot sourced from VirusTotal

Conclusion

Unlike other cybercriminal schemes, phishing and BEC scams can be tricky to detect as they are targeted toward specific recipients. Attackers seek to compromise email accounts to gain access to financial and other sensitive information related to business operations, and BEC actors can easily use such access and information for other illicit activities. In the sample routines discussed here, the attackers' emails themselves do not include the typical malware payload of malicious attachments. As a result, traditional security solutions will not be able to protect accounts and systems from such attacks.

From our observations, BEC attacks don't only target high-profile users but also any employee that can be found on social media networks with significant personal information published (such as LinkedIn). These pieces of information can be used to spoof employees and partners, and cause significant financial damage to businesses.

As we observed professional email services being used for BEC attacks, we believe BEC actors will keep adopting new services and tools to optimize their operations flow as email services try to optimize services for their legitimate users. Targets in the Americas and Europe will continue to be targeted as sources of profit for these scams and will likely continue as companies see remote work becoming more mainstream, whether it be for their own operations or their managed service providers' (MSPs). Companies and employees will have to keep their guard up to mitigate the risks from BEC and other email-based scams:

• Educate and train employees. Deflect company intrusions through continuous InfoSec education. All company personnel - from the CEO to rank-and-file employees - must be aware of the various techniques and kinds of scams, and the procedure to follow when they encounter an attack attempt.
• Confirm requests using other channels. Avoid clicking on embedded links or directly replying to the email addresses used in the email. Exercise caution by following a verification system among employees who handle sensitive information, such as multiple personnel sign-off or additional verification protocols.
• Scrutinize all emails. Be wary of irregular emails with suspicious content such as unknown and dubious sender emails, domain names, writing styles, and urgent requests. Report suspicious emails to the respective security and InfoSec teams for analysis, tracking, and blocking.

Trend Micro solutions

Trend Micro protects both small- to medium-sized businesses and enterprises against phishing- and BEC-related emails. Using enhanced machine learning combined with expert rules, Trend Micro™ Email Security solution analyzes both the header and the content of an email to stop BEC and other email threats. For source verification and authentication, it uses Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM), and Domain-Based Message Authentication, Reporting and Conformance (DMARC).

The Trend Micro™ Cloud App Security solution enhances the security of Microsoft Office 365 and other cloud services through sandbox malware analysis for BEC and other advanced threats. It uses Writing Style DNA, Display Name Spoofing, and High-Profile domain to detect BEC impersonations and computer vision to find credential-stealing phishing sites with Advanced Spam Protection enabled. It also protects cloud file sharing from threats and data loss by controlling sensitive data usage.

Indicators of Compromise (IOCs)

For the full list of IOCs, you may download the text file here.