Microsoft has released its fourth edition of Cyber Signals, highlighting a surge in cybercriminal activity around business email compromise (BEC).
Cyber Signals is a cyber threat intelligence brief spotlighting security trends and insights gathered from Microsoft’s 43 trillion daily security signals and 8,500 security experts.
Key insights shared in this edition report that between April 2022 and April 2023, Microsoft Threat Intelligence detected and investigated 35 million BEC attempts with an average of 156,000 attempts daily.
Microsoft also observed a 38% increase in Cybercrime-as-a-Service targeting business email between 2019 and 2022.
One of these services is BulletProftLink which creates industrial-scale malicious mail campaigns, selling end-to-end services, including templates, hosting, and automated services for BEC.
According to the report, Instead of exploiting vulnerabilities in unpatched devices, BEC operators seek to exploit the daily sea of email traffic and other messages.
Here they trick victims into providing financial information or taking direct action, like unknowingly sending funds to money mule accounts that help criminals perform fraudulent money transfers.
Threat actors' BEC attempts can also take the form of phone calls, text messages, emails, or social media outreach.
Although threat actors have created specialised tools to facilitate BEC, Microsoft suggests various methods enterprises can employ to pre-empt attacks and mitigate risk.
Businesses should leverage cloud apps that utilise AI capabilities to enhance defences, adding advanced phishing protection and suspicious forwarding detection.
Businesses must secure identities to prohibit lateral movement by controlling access to apps and data with Zero Trust and automated identity governance.
Adopting a secure payment platform can also reduce the risk of fraudulent activity by switching from email invoices to a system specifically designed to authenticate payments.
Lastly, continuous employee education is vital in equipping them to spot fraudulent and malicious emails, such as a mismatch in domain and email addresses, and understanding the potential risks and costs associated with successful BEC attacks.
Vasu Jakkal, Corporate Vice President of Security, Compliance, Identity, and Management at Microsoft, says: “BEC attacks offer a great example of why cyber risk needs to be addressed in a cross-functional way with IT, compliance and cyber risk officers at the table alongside business executives and leaders, finance employees, human resource managers and others with access to employee records."
“While we must enhance existing defences through AI capabilities and phishing protection, enterprises need to train employees to spot warning signs to prevent BEC attacks.”
Mark Anderson, National Security Officer at Microsoft ANZ, says: "This report shows that Business Email Compromise (BEC) demands our immediate attention within the Australian cyber landscape.”
“BEC threat actors, unlike ransomware operators, operate in stealth attempting to extract money without anyone noticing by injecting themselves into business process, so it’s often not the ones making the news headlines, yet with the growth in cybercrime-as-a-service targeting business email, we must prioritise how we combat this growing threat."
“By fostering a culture of cyber resilience, we can enhance our collective defences against BEC and other attacks to safeguard better the integrity of Australian businesses from devastating financial consequences."
“A key element is ongoing employee awareness to the types of techniques and approaches used by BEC operators, and then empowering staff to act upon any red flags to proactively mitigate the risks associated with BEC attacks, alongside equipping our defences with advanced technologies, such as AI capabilities and robust phishing protection is essential too,” says Anderson.