Skip to main content


{Threat Advisory} Business Email Compromise

We are in the middle of business email compromise (BEC) season and there is a new tactic that is currently running rampant. Most organizations are only noticing it after they see:

  • A mass of emails being sent from a user’s email box
  • They are alerted by a vendor that their website has a fake
  • They detect a new rule added to a user’s email box


Who Can Be Affected?

Currently, we are seeing this attack mainly in the financial sector with banks, credit unions, title companies, loan originators, and financial people in other verticals. Although, any company that uses email can be affected.


How Does This Attack Work?

This attack is similar to previous BECs with some key differences. The attackers scrape the website of the victim’s company to gain trust for downstream compromises. We can tell their volume with these compromises is high, not only because we have been seeing a lot of them, but also because the attackers have an autologin app they’ve created that tests the login from various US and Canada hosting resources. We assume this is an automated login to see if the account is still compromised. It might be several days later, but a live attacker then logs in from a foreign IP and goes to work.

The process is:

  1. It is spread by the victim’s email account, via the attacker, once a new email account has been compromised.
  2. Victim gets an email that is from an account they are used to working with.
  3. Email has a link to, what looks like, the sender’s company website for an encrypted document.


BEC Email

  1. The victim clicks the link and is asked for creds to read encrypted attachment.

BEC Email 2

  1. Once creds are given the attacker eventually logs into the victim’s email by either noon victim’s time, or 5 PM victim’s time
  2. Attacker will search for financial data in email and attachments
  3. Once financial data is found, the attacker opens Teams session to transfer it to their own data stores


Various Logins

  1. Finally, the attacker scrapes the email for logs and active link opportunities.
  2. Creates a believable website on the attacker’s own resources sometimes inside the US.
  3. Uses a script to harvest contacts from the victim.
  4. Propagates the attack to harvested contacts.
  5. Starts all over at a new org.


Email Cycle


What Can You Do?


Incident Response Assistance: If your organization needs immediate assistance with an active incident or security breach situation, call 605-923-8722 to speak to our Incident Response Team. 


Written by: 
Buzz Hillestad, GCFE
SVP - Information Security Consultant - SBS CyberSecurity, LLC

Hacker Hour webinars are a series of free webinars hosted by SBS CyberSecurity. Unlike paid webinars, Hacker Hours are aimed to meet on a monthly basis to discuss cybersecurity issues and trends in an open format. Attendees are encouraged to join the conversation and get their questions answered. SBS will also offer products and services to help financial institutions with these specific issues.

Posted: Wednesday, October 28, 2020
Categories: Blog