How to avoid business email compromise attacks

08 January 2019

Special feature from Chris Salsberry, Senior Director at The Crypsis Group, JLT’s Cyber Consortium Partner.

Since becoming available in 2011, the Microsoft Office 365 subscription cloud service has seen tremendous adoption, with commercial users now numbering more than 135 million.

While it is clearly a viable business solution, when it comes to security, Office 365 requires some vigilance on the part of network administrators to ensure that attackers don’t penetrate the business email system and create all sorts of mayhem.

The good news is that there are steps organisations can take to bolster their defences against threat actors who see Office 365 as a prime opportunity to ply their trade.


While the deployment of Office 365 business email systems has been steadily increasing, so have the efforts to compromise the accounts. Attackers have developed increasingly sophisticated methods to launch what is known as Business Email Compromises, or BEC, whereby they deceive users into giving up sensitive financial information that they can then exploit for financial theft and fraud, amongst other things.

At the heart of these scams is a new and improved version of phishing. Phishing, of course, has been around for years, and for most people a typical phishing email was pretty easy to spot. Misspellings, ridiculous requests, and dodgy attachments usually raised red flags.

However, the construction of phishing scams is more of an art than a science. In addition to finding opportunities to penetrate Office 365 business email platforms, attackers are also upping their game when it comes to creating more carefully crafted and individually targeted approaches – making the emails more likely to gain the trust of even the most careful email recipients.

In our experience, we find that criminals typically begin their attacks by using their improved phishing skills to steal login credentials to gain access to the Office 365 email system of an enterprise. One way they do this is by steering victims toward professional looking credential harvesting sites that ask for their login and password.

Once they gain the credentials to enter a particular business email system, the criminals will often lay low for a period of time and actively search through a victim’s mailbox, looking for emails that involve financial transactions, as well as prompt other users (from within the network) to turn over their credentials.

In addition, they will often create mail rules to forward messages externally or to disguise what they are doing. We have also seen instances where the attackers will set up rules that divert incoming messages, relevant to the fraud or other select conversations, to folders that the authorised user does not typically check, such as RSS Feeds, or Trash.

Further to this, by doing a little research within the email account they’ve compromised, the attackers will develop the ability to mimic the way that specific users communicate – and with that they can exploit the relationship of trust that the organisation and its employees have built with each other and with clients and vendors.

Some attackers will even engage in back-and-forth conversations with unsuspecting co-workers of the victim, with victims assuming they are communicating with someone they know and have dealt with before. A scenario that we routinely see is an employee receiving a fraudulent email from someone purporting to be the firm’s office administrator. The email will request that a wire transfer be sent to a person outside of the office.

When the employee becomes suspicious and tries to verify the request through another colleague, the scammer will continue to intervene in the email thread in an attempt to verify that the request is legitimate. In some cases, the attackers are successful in convincing the victim that the email is authentic, causing the targeted organisation to lose money that is often largely unrecoverable, depending on the length of time that has passed.

 Sign up to our latest  news & insights Sign up to our latest  news & insights


There are a number of steps network administrators can do to blunt these types of attacks – and the solutions are relatively straightforward and accessible.

First and foremost, there is one step that can go a long way toward protecting your email network, and that is to implement multifactor authentication (MFA) for accessing the network.

Microsoft provides details on how to do this for Office 365, as well as other ready-to-use tools to help manage the Office 365 environment and strengthen defences against BEC, including use of a built in logging and reporting functionality to help monitor the security of user accounts.

While the convenience of cloud-based services is undeniable, the need to secure these services is imperative to defending against attackers seeking to access your environment. Fortunately, effective measures, while not necessarily simple, are not excessively difficult or burdensome to implement, and they certainly pale in comparison with the pain that BEC could bring to your organisation.

Download Cyber Decoder

For more information please contact Sarah Stephens, Head of Cyber on +44 (0)203 394 0486.