Nearly all forms of Business Email Compromise (BEC) attacks are on the rise, according to the fourth edition of Microsoft Threat Intelligence Cyber Signals published last week. In the latest Microsoft research for phishing protection, Microsoft Threat Intelligence Digital Crimes Unit (DCU) detected and investigated 35 million BEC attempts between April 2022 and April 2023, or 156,000 attacks every day. The FBI Internet Crime Report 2022 also found that BEC attacks were responsible for over $2.7 billion in losses last year alone.

Microsoft saw an increase in both the sophistication of attacks and the tactics used by adversaries in BEC attacks. Cybercrime-as-a-Service organizations enable advanced phishing techniques at scale for bad actors, allowing them to easily circumvent traditional detection methods like “impossible travel” flags and malicious URL detection. 

According to the Microsoft Threat Intelligence Cyber Signals report, BEC attacks stand apart in the cybercrime industry for their emphasis on social engineering and the art of deception. The report goes on to explain that, rather than targeting software vulnerabilities, BEC attacks exploit the daily sea of email traffic to lure victims into providing financial information or taking action which unknowingly helps criminals perform fraudulent money transfers. 

Key Findings by Microsoft Threat Intelligence Digital Crimes Unit from April 2022 to April 2023:

•   35 million annual BEC attempts detected and investigated
•  156,000 daily BEC attempts detected and investigated
•   417,678 unique phishing URL takedowns
•   38% increase in Cybercrime-as-a-Service targeting business email [2019 – 2022]
•   BEC threat actors increasingly purchase credentials and local IP addresses from end-to-end Cybercrime-as-a-Service (CaaS) providers to evade traditional detection methods

Top Targets for BEC Attacks:

•   Executives & Senior Leadership
•   Finance Teams & Management
•   HR Staff with access to employee records (i.e. Social Security numbers, Payroll, and other PII)
•   New employees less likely to verify unfamiliar requests via email

Top Trends for BEC Attacks in 2023 (January to April)

•   LURE attacks (Legacy URL Reputation Evasion)
•   Payroll/Invoice attacks
•   Gift Card Requests
•   Business Information Requests

Defending Against BEC Attacks – Microsoft’s Recommendations

The Microsoft Threat Intelligence Cyber Signals report discusses many best practices that organizations can implement in the fight against BEC, but their recommendations can really be boiled down into two key initiatives: 

1.    Enhancing existing defenses through AI-based phishing protection
2.    Training employees to better spot BEC attacks in real-time

Microsoft + Tessian – Better Together

Tessian’s Complete Cloud Email Security Platform is an ICES solution that defends against advanced email threats, protects your most sensitive data from being lost via email, helps security teams respond to email security incidents faster and more efficiently, all while coaching end-users to drive better security decisions in real time. Organizations leveraging Microsoft’s native email security capabilities along with Tessian find the most complete cloud-based AI-driven email security coverage for defending against BEC attacks. 

Aligning with the recommendations in the most recent Microsoft Threat Intelligence Cyber Signals report, Tessian enhances Microsoft’s native email security capabilities by leveraging behavioral based AI detection for more effective prevention against social engineering attacks. Tessian also offers customizable, bespoke in-the-moment security coaching that encourages end-users to take a step back and consider the potential risks and costs associated with successful BEC attacks. 

To learn more about how organizations are pairing Microsoft + Tessian for the most complete email security protection, download our Tessian + Microsoft 365 Solution Guide.