Business Email Compromise (BEC) Response and Investigation

Our experts have honed every step of the investigative process and created unique tools for multiple platforms to deliver timely and defensible answers for BEC challenges—from misdirected payments to the compromise of sensitive data or unauthorized access to the greater network environment. 

What is Business Email Compromise?

Business email compromise is the unauthorized access to one or more mailboxes by a threat actor. Threat actors have historically performed BEC attacks in order to commit financial fraud, such as misdirecting payments or wire transfers to an actor-controlled bank account. While financial fraud is still a primary goal, actors are increasingly evolving BEC attacks to gain greater access—from exploring connected SharePoint, OneDrive and Teams areas to pivoting to network environments where they can exfiltrate and sometimes encrypt (ransom) sensitive data. 

Common BEC Attack Vectors and Mitigation Steps

BEC attacks most commonly begin with a phishing email message that contains a malicious attachment or layered redirect links to credential harvesting websites. In recent years, Kroll has observed threat actors evolving their tactics to include:

• Phishing via voicemail (vishing) and text message (smishing)
• Multi-factor authentication (MFA) prompt bombing or MFA fatigue
• Adversary-in-the-middle (AiTM) phishing campaigns where threat actors can steal passwords and hijack active user sessions even with MFA enabled.
• Leveraging passwords exposed in an unrelated third-party breach, especially in the case of credential reuse (the habit of using the same or similar password for multiple accounts)
• Exploiting software vulnerabilities to include those in Microsoft Exchange servers 
• Exploiting access gained in a ransomware attack to compromise email accounts
• Exfiltrating and deleting cloud data and then ransoming to not release the stolen information

Recently, Kroll experts demonstrated an evolution in threat actor tactics by using the data transfer program Rclone via a compromised M365 account to download a massive number of files from SharePoint—all without remote access to a host. This new tactic, M365 Theft/Extortion, follows a similar threat actor pattern commonly seen in more traditional incident response type matters.

Kroll offers a number of solutions in order to protect your organization from falling victim to a business email compromise attack: 

Full Service BEC Investigations 

Our forensic investigators and analysts can do a full tenant review, including full log analysis where Kroll reviews for suspicious activity related to previously identified indicators of compromise (IOC), as well as foreign logins or access to mailboxes within an email environment, Enterprise mail rule review and a detailed forensic report.

Fixed Fee BEC Solution 

Our experts have created an efficient, budget-friendly automated tool that provides a simplified report of the investigative findings. This tool will answer key questions to help determine the extent of the compromise on an effected account/tenant.