Business email compromise has emerged as a critical threat as threat actors shift their tactics and increase the sophistication of attacks designed to takeover business emails, including leveraging residential IP addresses to hide the attacks, Microsoft says in a new Cyber Signals report.
The report, the fourth such edition of Microsoft’s cybersecurity research report, finds cybercrime as a service targeting business email has skyrocketed, rising 38% between 2019 and 2022.
In addition, Microsoft says it detected and investigated a whopping 35 million business email compromise (BEC) attempts between April 2022 and April 2023, good for an adjusted average of 156,000 daily attempts to take over a business email account.
The company also cites the FBI’s Recovery Asset Team, which initiated the Financial Fraud Kill Chain on more than 2,800 BEC complaints involving domestic transactions, with potential losses of nearly $600 million.
Business email compromise attacks leveraging residential IP addresses
In the Cyber Signals report, Microsoft identifies a significant trend in attackers’ use of platforms like BulletProftLink, a popular platform for creating industrial-scale malicious email campaigns. The company defines BulletProftLink as and sells an end-to-end service that includes templates, hosting, and automated services for BEC.
Threat actors using that service receive credentials and the IP address of the victim, and they then purchase IP addresses from residential IP services to match the victim’s location creating residential IP proxies to mask their origin.
With localized address space to support their activities in addition to usernames and passwords, BEC attackers can further obscure their movements, circumvent “impossible travel” flags and open a gateway to conduct further attacks, Microsoft says.
“Impossible travel,” Microsoft says, is a detection used to indicate that a user account might be compromised by flagging physical restrictions that indicate a task if being performed in two locations without enough time to travel from one location to another.
This rising trend could escalate the use of residential IP addresses to evade detection, Microsoft says, as residential IP addresses mapped to locations at scale provide the ability and opportunity for hackers to gather large volumes of compromised credentials and access accounts.
According to Microsoft, threat actors are using IP/proxy services that marketers and others may use for research to scale these attacks.
“One IP service provider, for example, has 100 million IP addresses that can be rotated or changed every second,” Microsoft says in the report.
Microsoft says BulletProftLink offers a decentralized gateway design that includes Internet Computer public blockchain nodes to host phishing and BEC sites, creating a sophisticated decentralized web offering that is difficult to disrupt. This is a notable shift from other phishing-as-a-service tools like Evil Proxy, Naked Pages and Caffeine that deploy phishing campaigns and obtain compromised credentials.
“Distributing these sites’ infrastructure across the complexity and evolving growth of public blockchains makes identifying them, and aligning takedown actions, more complex,” Microsoft says. “While you can remove a phishing link, the content remains online, and cybercriminals return to create a new link to existing CaaS content.”
Business email compromise evasion tactics
According to Microsoft, business email compromise phishing emails typically target executives and other senior leaders, finance managers and human resources staff with access to sensitive employee information. However, all types of BEC attacks are on the rise, Microsoft says in the report.
A phishing lure email is the most common type of business email compromise phishing email (62%), followed by payroll (15%), invoice (8.29%), gift card (5%), business information (4.4%) and others.
Business email compromise attacks are typically designed to be relatively quiet, leveraging social engineering and deception rather then attacking unpatched vulnerabilities, malware or extortion messages.
“Instead of novel malware, BEC adversaries align their tactics to focus on tools improving the scale, plausibility, and inbox success rate of malicious messages,” Microsoft says.
On the residential IP address trend, Microsoft says these attacks can be rapidly scaled to make detection with traditional tools difficult, as variances in login locations are not inherently malicious. In the distributed work environment, a user could be logged into a business application via a Wi-FI connection and be signed into the same apps on their smartphone’s cellular network. This makes “impossible travel” flag policies difficult to design.
In addition, attackers are increasingly routing malicious mail and other activity through address space near their targets, Microsoft says.
How to protect against business email compromise
To help organizations protect against business email compromise attacks, Microsoft offers several recommendations:
- Use a secure email solution that leverage AI capabilities and phishing protections.
- Configure email to flag messages sent from external users, enable notifications for unverified email senders, block suspicious senders and use reporting to flag suspicious emails.
- Use multi-factor authentication for email accounts.
- Educate employees on how to spot suspicious emails.
- Secure identities with Zero Trust tools to prohibit lateral movement.
- Use a secure payment platform to eliminate the threat of invoice-based phishing emails.
- Take extra steps to verify the authenticity of financial transactions via email.
If you enjoyed this article and want to receive more valuable industry content like this, click here to sign up for our digital newsletters!