Microsoft Warns of Increase in Business Email Compromise Attacks

Business email fraud continues to rise, with the Federal Bureau of Investigation (FBI) reporting more than 21,000 complaints with adjusted losses over $2.7 billion. Microsoft has observed an increase in sophistication and tactics by threat actors specializing in business email compromise (BEC), including leveraging residential internet protocol (IP) addresses to make attack campaigns appear locally generated.

This new tactic is helping criminals further monetize Cybercrime-as-a-Service (CaaS) and has caught federal law enforcement’s attention because it allows cybercriminals to evade “impossible travel” alerts used to identify and block anomalous login attempts and other suspicious account activity.


We are all cybersecurity defenders. If you want to learn more about securing your environment you can schedule a FREE security audit

Microsoft’s Digital Crimes Unit has observed a 38 percent increase in Cybercrime-as-a-Service targeting business email between 2019 and 2022.

Cybercriminal activity around business email compromise is accelerating. Microsoft observes a significant trend in attackers’ use of platforms, like BulletProftLink, a popular platform for creating industrial-scale malicious mail campaigns. BulletProftLink sells an end-to-end service including templates, hosting, and automated services for BEC. Adversaries using this CaaS receive credentials and the IP address of the victim.

BEC threat actors then purchase IP addresses from residential IP services matching the victim’s location creating residential IP proxies which empower cybercriminals to mask their origin. Now, armed with localized address space to support their malicious activities in addition to usernames and passwords, BEC attackers can obscure movements, circumvent “impossible travel” flags, and open a gateway to conduct further attacks. Microsoft has observed threat actors in Asia and an Eastern European nation most frequently deploying this tactic.

Impossible travel is a detection used to indicate that a user account might be compromised. These alerts flag physical restrictions that indicate a task is being performed in two locations, without the appropriate amount of time to travel from one location to the other.


The specialization and consolidation of this sector of the cybercrime economy could escalate the use of residential IP addresses to evade detection. Residential IP addresses mapped to locations at scale provide the ability and opportunity for cybercriminals to gather large volumes of compromised credentials and access accounts. Threat actors are using IP/proxy services that marketers and others may use for research to scale these attacks. One IP service provider, for example, has 100 million IP addresses that can be rotated or changed every second.

While threat actors use phishing-as-a-service like Evil Proxy, Naked Pages, and Caffeine to deploy phishing campaigns and obtain compromised credentials, BulletProftLink offers a decentralized gateway design, which includes Internet Computer public blockchain nodes to host phishing and BEC sites, creating an even more sophisticated decentralized web offering that’s much harder to disrupt. Distributing these sites’ infrastructure across the complexity and evolving growth of public blockchains makes identifying them, and aligning takedown actions, more complex. While you can remove a phishing link, the content remains online, and cybercriminals return to create a new link to existing CaaS content.

Successful BEC attacks cost organizations hundreds of millions of dollars annually. In 2022, the FBI’s Recovery Asset Team initiated the Financial Fraud Kill Chain on 2,838 BEC complaints involving domestic transactions with potential losses of over $590 million


Although the financial implications are significant, wider long-term damages can include identity theft if personally identifiable information (PII) is compromised, or loss of confidential data if sensitive correspondence or intellectual property are exposed in malicious email and message traffic.


Maximize security settings protecting your inbox: Enterprises can configure their mail systems to flag messages sent from external parties. Enable notifications for when mail senders are not verified. Block senders with identities you cannot independently confirm and report their mails as phishing or spam in email apps. Set up strong authentication: Make email harder to compromise by turning on multifactor authentication, which requires a code, PIN, or fingerprint to log in as well as your password. MFA-enabled accounts are more resistant to the risk of compromised credentials and brute-force login attempts, regardless of address space attackers use. Train employees to spot warning signs: Educate employees to spot fraudulent and other malicious emails, such as a mismatch in domain and email addresses, and the risk and cost associated with successful BEC attacks.


Although threat actors have created specialized tools to facilitate BEC, including phishing kits and lists of verified email addresses targeting C-Suite leaders, accounts payable leads and other specific roles, enterprises can employ methods to pre-empt attacks and mitigate risk.


For example, a domain-based message authentication, reporting, and conformance (DMARC) policy of “reject” provides the strongest protection against spoofed email, ensuring that unauthenticated messages are rejected at the mail server, even before delivery. Additionally, DMARC reports provide a mechanism for an organization to be made aware of the source of an apparent forgery, information that they would not normally receive.


Although organizations are a few years into managing fully remote or hybrid workforces, rethinking security awareness in the hybrid work era is still needed. Because employees are working with more vendors and contractors, thereby receiving more “first seen” emails, it’s imperative to be conscious of what these changes in work rhythms and correspondence mean for your attack surface.


Threat actors’ BEC attempts can take many forms – including phone calls, text messages, emails, or social media messages. Spoofing authentication request messages and impersonating individuals and companies are also common tactics.


A good first defensive step is strengthening policies for accounting, internal controls, payroll, or human resource departments on how to respond when requests or notifications of changes regarding payment instruments, banking or wire transfers are received. Taking a step back to sideline requests that suspiciously do not follow policies, or contacting a requesting entity through its legitimate site and representatives, can save organizations from staggering losses.

BEC attacks offer a great example of why cyber risk needs to be addressed in a cross-functional way with executives and leaders, finance employees, human resource managers and others with access to employee records like Social Security numbers, tax statements, contact info, and schedules, at the table alongside IT, compliance, and cyber risk officers.


Recommendations: Use a secure e-mail solution: Today’s email cloud platforms use AI capabilities like machine learning to enhance defenses, adding advanced phishing protection and suspicious forwarding detection. Cloud apps for email and productivity also offer the advantages of continuous, automatic software updates and centralized management of security policies. Secure identities to prohibit lateral movement: Protecting identities is a key pillar to combating BEC. Control access to apps and data with Zero Trust and automated identity governance. At Impress Computers we now offer Graphus Advanced Ai protection for all of our clients.


Adopt a secure payment platform: Consider switching from emailed invoices to a system specifically designed to authenticate payments. Hit pause and use a phone call to verify financial transactions: A quick phone conversation to confirm something is legitimate is well worth the time, instead of assuming with a quick reply or click, which could lead to theft. Establish policies and expectations reminding employees it’s important to contact organizations or individuals directly—and not use information supplied in suspect messages—to double-check financial and other requests. Learn more about BEC and Iranian threat actors with insights from Simeon Kakpovi, Senior Threat Intelligence Analyst.