The latest stats are in: BEC costs to organizations are skyrocketing. In 2016, annual losses from this type of attack cost $360 million. For 2021, in excess of $2.4 billion. For those without a calculator handy, that is a 566% jump in only 5 years.
According to the FBI’s 2022 Congressional Report on BEC and Real Estate Wire Fraud, BEC is “one of the fastest growing, most financially damaging internet-enabled crimes.”
Let’s broadly define BEC. Basically, it means a bad actor has acquired access to an end user inbox via some method, such as password guessing, social engineering, etc. This gives them access to email, sensitive data, attachments, possibly passwords to other systems if the user is storing them in their inbox, and more. It also may allow the attacker to pull off a funds transfer with the right knowledge.
You may have noticed that we didn’t mention malware in any part of that, did we?
According to the CrowdStrike 2023 Global Threat Report, a whopping 71% of attacks were malwareless in 2022. Instead, as endpoint security solutions and other controls become increasingly robust, attackers are using tried and true methods like password guessing, social engineering, known MFA bypass methods, and more to access cloud environments as an initial access point.
If your organization is one of the vast numbers of Microsoft 365 shops out there, then BEC is not just BEC – it’s potentially everything else too. When you log in to Outlook online, what other applications do you have access to, typically with no further authentication required? Here’s a short list:
- OneDrive – Surely no sensitive data is being stored here…
- SharePoint – All the things about your organization
- MS Teams – Now the bad guys ARE YOU internally via MS Teams
- Planner – What does their typical day look like? Big social engineering opportunities here
- Calendar – Similar idea as planner
- Azure Portal – A bad actor can use this to enumerate all users, groups, devices, etc.
What about the inbox itself? What might be lurking within?
- VPN configuration file? Sounds like an easy way for internal network access if found.
- Is the user admin to anything that we can find info on?
- What cloud subscriptions does this user have assigned? Can they create virtual machines?
- Is the user a developer? Do they have access to the code base?
- Does the user have remote access to your clients’ systems? Whoa boy….
As you can see, BEC is not a risk that is contained within the inbox itself, but rather an initial entry point that could lead to complete organizational compromise if the cloud environment is not properly hardened and does not have detective controls in place to alert on suspicious activity within.
So what can you do? Lots of things!
- Ensure you have multifactor authentication (MFA) enabled EVERYWHERE and utilize a robust single sign-on (SSO) solution.
- Begin the process of conforming to a security benchmark for your cloud environment, such as the Center for Internet Security’s M365 and Azure Foundations.
- Use Azure AD Password Protection or a similar control to disallow end users from choosing poor passwords.
- Utilize identity protection controls such as Azure AD Identity Protection, Google Advanced Protection Program, or third-party solutions.
- Enforce robust conditional access in your environment.
- Use challenge-based MFA instead of push MFA.
- Make sure only mail coming from trusted proxies like Mimecast, etc. is allowed inbound.
- Disable incoming/outgoing messages on MS Teams to/from untrusted orgs.
- Continue your user awareness training.
- Make sure your MSSP is not asleep at the wheel!
While scary, there are many things you can do to protect yourself from BEC and its costly knock-on effects. Just like an on-premises environment, defense in depth is your best friend in the cloud too. Don’t become an FBI statistic! Take actionable, proven measures to harden your environment now.
