Email Security

    Anatomy of a Sustained BEC Attack on Microsoft 365 Users

    Cyberattackers lurked in victims’ Microsoft 365 email accounts for months, first to divert $15 million, and then to prevent detection of their email compromise.

    by Megan Doyle

    Key Points

    • A recent global business email compromise campaign, now under investigation by the FBI, diverted at least $15 million and may have targeted 150 or more companies.
    • Attackers monitored and manipulated their victims’ Microsoft 365 accounts, using forwarding and filtering rules to spy on all email communications, then intercept and impersonate payment-related emails.
    • Strong security controls and better business processes would likely have made this attack preventable.


    A long-term, sustained business email compromise (BEC) attack against approximately 150 different companies netted at least $15 million for the cybercriminal group — or groups — who perpetrated it before being discovered, according to Mitiga, the Israeli cybersecurity firm who first investigated the incident. Incredibly, the attack — which is now being investigated by the FBI — involved no malware and exploited no vulnerabilities of Microsoft 365, despite exclusively targeting users of that platform.

    In fact, the cybercriminals themselves used Microsoft 365 for their own email infrastructure, probably because it reduced “the likelihood of triggering malicious detection filtering,” according to a post by Andrey Shomer, head of research at Mitiga.[1]

    Overview of the $15 Million Business Email Compromise Attack

    This BEC campaign was technologically simple. While it’s not known how the cybercriminals compromised the users’ credentials, once they did, the criminals:

    • Set up forwarding rules that sent all incoming and outgoing mail to the criminals’ own accounts.
    • Then monitored email communications for months, waiting for opportunities to intercept payment-related correspondence.
    • Replaced legitimate payment-related emails with fake messages containing their own bank account information.
    • Then continued intercepting emails that could have led to detection until they were able to move the money to thus far untraceable accounts.

    BEC attacks can usually be prevented with security controls like two-factor authentication and regular password update requirements, or with business processes that require payment approvals by multiple different managers before executing. And yet, failure to take such precautions cost U.S. businesses over $1.7 billion in BEC losses in 2019 — four times larger than any other category of cybercrime, according to the FBI.[2]

    The rest of this post delves into the details of how this BEC scheme was reportedly carried out — and what you can do to make sure your business isn’t similarly victimized.

    BEC Victims Varied Across Industries

    The attack targeted a broad stroke of industries, including companies in law, finance, retail, construction and more. The common thread? All victims of the BEC campaign used Microsoft 365. In addition, it’s likely that each victim routinely conducted a large volume of transactions with third parties.

    Regarding how the cybercriminals got hold of user credentials in the first place, “The current belief is that that they may have purchased credentials on the ‘black market’ from perpetrators of past data breaches,” said Meni Farjon, Chief Scientist of Advanced Threat Detection at Mimecast. “No additional information has been made available since the FBI took over the investigation,” he added.

    But why Microsoft 365? According to Mitiga, using Microsoft 365 can generate credibility from user to user, thereby improving the likelihood of a successful attack. In other words, if the attacker and victim are both using the same technology stack, it’s less likely suspicious discrepancies will be detected, and less likely malicious emails will be automatically blacklisted. Of course, Microsoft 365 also is ubiquitous — and the starting point for 94% of all cyberattacks.[3]

    How can you protect your organization from email compromise when any bad actor can simply buy your users’ credentials? Farjon and Mitiga recommend:

    • Always use two-factor authentication (2FA). 2FA can help prevent bad actors from accessing your employees’ accounts remotely.
    • Enforce regular password updates to reduce the likelihood stolen credentials remain useful.
    • Log and retain any changes to mailbox settings and login info for at least 90 days.
    • Ensure suspicious activity alerts are enabled, such as foreign logins or remote access from new devices or locations.
    • Routinely analyze server logs for abnormal email access.

    Attackers Monitored and Manipulated Email Traffic for Several Months

    Once the cybercriminals gained access to the victims’ Microsoft 365 accounts, they surreptitiously created email forwarding and filtering rules instead of locking users out of the accounts or taking over the accounts to send illegitimate emails.

    The forwarding rule was used to automatically send all emails to the attacker’s external inbox, allowing them to spy on all email exchanges. For months they were able to analyze the relationships between the attack victim and third parties like partners and suppliers, making it possible to find the perfect moment to strike. Meanwhile, certain sensitive communications — like legitimate invoices or concerns about missing payments — were filtered to a concealed folder so the victim wouldn’t see them. This way, when a legitimate sender sent in a request for payment, it’d be hidden from the victim, and the attacker could impersonate a senior executive to create an altered wire transfer request.

    The forwarding and filtering rules also helped the attackers secure their position. Even if the victim changed their password and the attacker lost access to the account, they’d still receive forwarded emails (as long as the forwarding rule went undetected), while legitimate emails were filtered out of the victim’s sight, reducing suspicion.

    Protection against these techniques should include:

    • Routinely searching for hidden folders and filtering rules within inbox settings.
    • Establishing rules to prevent mass forwarding of emails to addresses outside of your organization.
    • Blocking legacy email protocols like IMAP, POP and SMPT1. They can be used to forward emails and successfully circumvent multifactor authentication.
    • Routinely examining forwarding rules in all email accounts.
    • Fortifying cloud systems with an email security solution that has active detection capabilities to identify anomalies and potentially compromising materials.

    Threat Actors Used Spoofed Domains and MS 365 Accounts to Avoid Detection

    Once the attackers knew which third party senior executives to impersonate based on their long-term reconnaissance, they used spoofed domains connected with their own Microsoft 365 subscriptions in order to imitate real businesses and send seemingly legitimate requests for payment — but with altered bank account details. Victims were then tricked into sending funds to rogue bank accounts. All emails sent and received by attackers were from a Microsoft 365 IP address, allowing the attackers to blend into a legitimate infrastructure.

    These spoofed domains relied on homographic techniques that made them harder to distinguish from legitimate domains. For example, to impersonate they might have used domains such as or (but to be clear, Mimecast was not a victim of this attack). Over 150 spoofed domains were identified, all of which were connected to one of 15 different Microsoft 365 accounts.

    The BEC attack was only detected after one wire payment was executed and the funds failed to reach the seller’s bank account.

    To protect against these email compromise techniques:

    • Offer engaging security awareness training at regular intervals. Teach your employees to detect red flags like spoofed email addresses and different payment information than usual.
    • Establish verification procedures for any time money is sent or received. Phone authentication, in addition to email, can add a second line of defense — though it, too, is imperfect given the rising cyberthreat from “deep fake” technology.
    • Consider using an email security solution that includes sophisticated algorithms that can detect impersonations, malicious emails and other anomalies.

    The Bottom Line

    Recent business email compromise attacks may have affected as many as 150 companies, with estimated losses reaching about $15 million so far. Cybercriminals leveraged poor business processes and human error, but apparently no software vulnerabilities. They also leveraged the inherent trust of communicating via Microsoft 365’s network to help spoofed emails go undetected and fool victims into transferring large sums of money into criminal bank accounts. Such BEC attacks can usually be defeated through a combination of good business process, effective cybersecurity controls and a top-notch secure email gateway.


    [1]Mitiga is Cooperating with Law Enforcement on a Global Business Email Compromise (BEC) Campaign that Has Netted Over $15M.,” Medium

    [2]2019 Internet Crime Report Released,”

    [3]2019 Data Breach Investigations Report,” Verizon


    Subscribe to Cyber Resilience Insights for more articles like these

    Get all the latest news and cybersecurity industry analysis delivered right to your inbox

    Sign up successful

    Thank you for signing up to receive updates from our blog

    We will be in touch!

    Haut de la page