This article is contributed. See the original author and article here.

This blog is part two of a three-part series focused on business email compromise.


In the previous blog in this series, we described the components of a classic (or single stage) BEC attack and showed how Microsoft Defender for Office 365 helps you protect against them. In this post, we will look at how BEC attacks have evolved and how new capabilities in Defender for Office 365 provide additional security layers to keep your organizations safe against these evolving patterns.


Understanding Evolving BEC Attack Patterns

In recent years, we have seen BEC attacks grow more complex and now involve multiple stages. Here is how they work:

  1. Once the attacker has identified the target organization, they attempt to compromise the email account of the victim through techniques like credential phishing or reusing previously leaked passwords.

  2. The attacker subsequently sets up a forwarding rule on the victim’s email account. This enables the attacker to conduct reconnaissance on the target and monitor new emails from partners or vendors, typically those that involve a financial exchange.

  3. Once a transaction of interest is identified, the attacker inserts themselves in the middle of an active email conversation through the tactics we described in our previous blog: using either user or domain impersonation, or a domain spoofing attack. The idea is to dupe the victim into trusting the attacker (who’s posing as the trusted vendor) and taking specific actions. The attacker can carry out multiple parallel conversations posing as one entity to another.

  4. Finally, the attacker modifies the wire transfer or financial transaction details, leading the victim to process a fake invoice.


Figure 1: The stages of multi-stage BEC attacksFigure 1: The stages of multi-stage BEC attacks


In recent months, we have updated Defender for Office 365 in multiple ways to help customers secure themselves against each stage of these evolving attack patterns.


Preventing Credential Phishing & Account Compromise

In the stages we discussed above, the first step is typically account compromise using a tactic like credential phishing. To block credential phishing mails, Defender for Office 365 is constantly updating its multi-layered email filtering stack which includes capabilities such as Safe Links, Safe Attachments and multiple machine learning models that scan and sandbox emails, files, and URLs to detect credential harvesting sites and block them. Additionally, Safe Links provides time-of-click protection for links in emails and is integrated into Office apps like Word, Excel and PowerPoint, to block exposure to malicious sites. Safe Links capabilities are available for both mails that come from outside your organization and internal mails within your organization. Defender for Office 365 is the only solution that can provide internal email protection within the compliance boundary of Office 365. No need to journal mails to external systems or grant mailbox access to external services.


We have also recently updated our machine learning models that detect anomalous account behavior and trigger alerts. You can learn more about how Defender for Office 365 identifies, automatically investigates, and remediates compromised user accounts.


Office 365 customers that leverage Azure Active Directory for identity access management can configure security defaults that enable Multi-Factor Authentication and disable legacy authentication for your Office 365 environment. This eliminates risk of password spray and account compromise in more than 99.9% of cases.


External Email Forwarding in Office 365 Now Disabled by Default

As we move to the next step in the typical multi-stage attack, we must turn our attention to external forwarding. External forwarding allows attackers to establish persistence and learn more about their victims. We have rolled out a new option in the outbound spam policy that disables external forwarding by default. Additionally, to help our customers get to a secure posture, this policy has been retroactively applied to existing Office 365 mailboxes. This has helped disrupt any existing compromised accounts and BEC activities.


For legitimate scenarios that require email forwarding, administrators can create custom policies and enable forwarding for select mailboxes, while keeping it disabled for the rest of their users. You can learn more about controlling external forwarding in Defender for Office 365 here.



Figure 2: Configure automatic forwarding in the outbound spam policyFigure 2: Configure automatic forwarding in the outbound spam policy


New and Improved Suspicious Forwarding Alerts

In addition to disabling external forwarding by default, Defender for Office 365 has introduced a new alert that detects suspicious forwarding related activity. The alert can warn administrators when suspicious forwarding activity is detected and enables them to conduct further investigation, remediate the account, and prevent any suspicious wire transfer activities.


Figure 3: Suspicious email forwarding activity alertsFigure 3: Suspicious email forwarding activity alerts



Tools to Improve User Awareness

Employees are an organization’s greatest asset, but they are also susceptible to falling prey to these evolving attacks. An important way to strengthen your defenses against all cyber threats is through user awareness.


For awareness programs to be successful, they must offer intuitive learning moments for your employees. What differentiates Microsoft from all other email security vendors is our ability to natively integrate security features into the products like Outlook and Office 365 apps. This integration provides both protection and awareness for your users.


New Safety Tips Options

Defender for Office 365 already provides various safety tips that are shown to end users of an email to enhance user awareness. We recently launched a new safety tip that enables email users to self-detect suspicious emails based on a signal related to first time contact between a sender and recipient(s).


If you receive an email from a sender for the first time or do not often get emails from this sender, you will see a safety tip displayed in your Outlook client as shown below to warn you that this email might be suspicious.



Figure 4: First contact safety tip warns users of suspicious emailFigure 4: First contact safety tip warns users of suspicious email


Imagine being in the middle of an email chain with your business partner or vendor and receiving this warning message. That is a strong indicator of a potential business email compromise attempt. This capability adds an extra layer of security protection and creates awareness for users against such attacks.


You can learn more about configuring first contact safety tips in your Office 365 tenant.


Native Link Rendering

Phishing trainings usually educate users to verify links in email apps by hovering over these links to reveal their destination. Many email security products rewrite these URLs, making it difficult for users to decipher the destination URL and reducing the value of the training.  Safe Links in Defender for Office 365 goes beyond rewriting URLs and natively integrates with Outlook and Office 365 apps. Native link rendering allows users to see the destination URL when they hover over the link, but still protects them from malicious links by evaluating these links at time-of-click. This capability is unique to Defender for Office 365, and its native integrations with Office apps preserve your investments in phishing and user awareness training.


Attack Simulation & Training

It’s critical that your end users are trained to spot suspicious messages and the indicators we’ve discussed so far, and the most effective way to train your users is to emulate real threats with intelligent simulations. In January we announced the general availability of Attack simulation training in Microsoft Defender for Office 365. Rebuilt from the ground up, Attack simulation training enables customers to train their employees to recognize red flags that might indicate a business email compromise attack. Industry-leading training from Terranova Security caters to diverse learning styles, engaging employees in defending the organization. You can learn more about these new capabilities here.



Figure 5: Attack simulation training engages employees in defending the organizationFigure 5: Attack simulation training engages employees in defending the organization



Coming up in Part 3….

In this blog we covered several ways that Microsoft Defender for Office 365 has been updated to help prevent evolving business email compromise attacks. We encourage readers to review these new capabilities and enable them in their environments.


In the next post in this series, we will look at the impact of these protections and the work we are doing outside the product in partnership with other security teams at Microsoft to further secure our customers. We’ll wrap up the series with best practice recommendations to ensure your organization stays protected against business email compromise attacks. Stay tuned!


Brought to you by Dr. Ware, Microsoft Office 365 Silver Partner, Charleston SC.