Advanced Business Email Compromise – z3nolafintech

This article contains information on Business Email Compromise (BEC), including attack themes, Mimecast detection methods, policy configuration, and sensitivity settings to protect against BEC threats.

What is BEC?

Business Email Compromise (BEC) is a highly targeted form of spear phishing, where attackers aim to deceive employees into taking harmful actions. These attacks can have devastating financial consequences for businesses, resulting in billions of dollars in losses each year. Business Email Compromise attacks rely heavily on impersonation and social engineering, exploiting trusted relationships and using emotional manipulation to pressure victims into compliance. The primary motive behind Business Email Compromise attacks is often financial gain, with attackers attempting to modify payroll information, request wire transfers, access cryptocurrency wallets, or send fraudulent invoices. However, they may also aim for data theft and other malicious objectives.

BEC Attack Themes:

BEC Attack Techniques:

Financial Gain:

Change of employee payroll.
Requesting wire transfers.
Obtaining access to cryptocurrency wallets.
Sending fake invoices.
Requests for gift cards or vouchers.
Extortion.

Data Theft:

Theft of employee PII - requests for wage statements, tax statements W-2 forms.
Theft of sensitive company data.

General Themes:

Request for help with a task.
Communication channel switch e.g. request to reply via phone, WhatsApp etc.

Psychological Manipulation in BEC:

Pressure: Creating urgency (e.g., deadlines), leveraging authority (e.g., VIP impersonation), or using fear (e.g. threats for extortion).
Trust: Impersonating trusted figures (internal like executives, finance, HR; external like vendors, suppliers) using spoofed or compromised accounts.
Thread Hijacking: Taking over existing conversations through compromised accounts or by fabricating continuity (e.g. adding "RE:" to subject lines).

What to expect when Mimecast flags an email as a BEC attack

For a more detailed understanding of what to expect when Mimecast flags an email as a BEC attack, see Reporting Spam Malware and Phishing.

Prerequisites

To configure Business Email Compromise, there must be an active CyberGraph policy configured, whether the Dynamic Banner Status is in Learning Mode or Enabled.
- A CyberGraph policy must be implemented to enable Advanced Business Email Compromise (BEC) protection. This policy leverages sophisticated natural language processing algorithms to analyze and safeguard email communications, enhancing the organization's defense against complex email-based threats.
The CyberGraph policy can be found on the Mimecast Administration Console, by navigating to Services | CyberGraph Policies. To create a new CyberGraph policy, see CyberGraph 2.0 - Overview for more information.
Cloud Gateway includes an Advanced BEC Protection Policy that requires configuration alongside CyberGraph 2.0 Policy.

Detection Sensitivity Settings

Aggressive: will trigger on Moderate, High or Very High confidence (Warning: May contain more False Positives).
Moderate: will trigger on High or Very High confidence.
Relaxed: will trigger on Very High confidence (Less False Positives).

Enable CyberGraph Policy

Advanced BEC Protection utilizes the CyberGraph feature.
See Policy Configuration for more information on CyberGraph policies.

You can configure the required a CyberGraph policy, by using the following steps:

Log in to the Mimecast Administration Console.
Navigate to Services | CyberGraph Policies.
Create or Edit Existing Policy | Set to Learning Mode or Enabled.
Ensure that Applies To is scoped according to desired users

Creating an Advanced BEC Protection Policy

You can create an Advanced BEC Protection policy, by using the following steps:

Log in to the Mimecast Administration Console.
Navigate to Services | Advanced BEC Protection Policies.
Select Create a New Policy.
Add Name | Description (Optional) | Ensure Activate Policy is enabled or disabled.
Select Detection Sensitivity Settings:

- Relaxed: This setting is for organizations with a higher risk tolerance and may lower the number of BEC false positives.
- Moderate: This setting provides a balance between protection and the chance of false positives occurring. This is the recommended setting for most customers.
- Aggressive: This setting offers the highest level of protection from BEC emails, but may result in more false positives.

Complete the Actions section as required:

- Hold: The message will be retained by Mimecast and accessible only by an administrator through the Mimecast Administration Console.
- Reject: The email will be bounced by Mimecast and the user will not receive the email.
- No Action: Intended as a Bypass Option.
- Monitor: Mimecast will scan and detect potential BEC threats, but no action will be taken, and detections will only appear within the Mimecast Administration Console.

Complete the Notification (Optional) section as required:

- Group: If enabled, a notification is sent to the selected group of users regarding the message that triggered this policy.
- Internal Recipient: If enabled, a notification is sent to the recipient of the message that triggered this policy.

Select who the policy applies to:

- Everyone.
- Email Domain.
- Address Group: Directory Group or Local (Profile) Group.
- Individual Email Address.
- (Optional) Show Advanced Options: IP Ranges.

Click Create Policy at the top to confirm and create policy.

Complete the Select Who the Policy Applies to section as required:

Field/Option	Description
Allow Policy Override	This overrides the default order in which policies are applied. If there are multiple applicable policies, this policy is applied first, unless more specific policies of the same type are configured with an override.
Applies From	• Everyone: This enables you to apply the policy to everyone. • Email Domain: This enables you to specify one or more domain names to which the policy is applied. • Address Groups: You can specify a predefined directory or group. If selected, the "Profile Group" field allows you to select the required group by clicking the "Lookup" button. • Individual Email Address: This allows you to enter the required email address if selected.
Applies To	• Everyone: This enables you to apply the policy to everyone. • Email Domain: This enables you to specify one or more domain names to which the policy is applied. • Address Groups: You can specify a predefined directory or group. If selected, the "Profile Group" field allows you to select the required group by clicking the "Lookup" button. • Individual Email Address: This allows you to enter the required email address if selected.
Show Advanced Options	Enter any required *Source IP Ranges* for the policy. These only apply if the source IP address used to transmit the message data falls inside or matches the range(s) configured. IP ranges should be entered in CIDR notation.

Click Create Policy.

Detection Sensitivity Modeling

Detection Sensitivity Modeling enables you to evaluate the effects of sensitivity settings on detection volumes, by analyzing the performance of different sensitivity configurations. This feature offers valuable insights into how the current policy impacts both senders and recipients at each sensitivity level, allowing for a more informed understanding of detection dynamics and potential threat responses.

You can access and review the sensitivity settings for an Advanced BEC policy, by using the following steps:

Log in to the Mimecast Administration Console.
Navigate to Services | Advanced BEC Protection Policies.
Select the Policy you wish to investigate, then click on Edit from the More options "..." menu.
Details for the selected Policy are displayed, including the Policy Name and Detection Sensitivity details.
Scroll down to the Detection Sensitivity Modeling section. Here you will see the number of messages that would be actioned at each detection sensitivity setting, giving you a high-level view of the impact of implementing or adjusting a particular Policy.
Click on Find out More, to review if the policy is negatively affecting specific users, e.g. senders or recipients frequently flagged as false positives.
Policy Performance Data is displayed, and you can switch view between Sender Impacts, and Recipient Impacts.
Review the historical data, to understand how different sensitivity settings would have affected message detection over the last 30 days:
Identify patterns and determine necessary adjustments to minimize disruptions.
Identify specific senders or recipients that are frequently flagged as false positives.
Take steps to identify and exclude safe addresses / domains. By optimizing the detection pipeline to focus on genuine threats, the system can more effectively identify and mitigate Advanced BEC attacks:

- Ensure the detection pipeline focuses on actual threats, by excluding safe addresses / domains from processing.
- Based on the identified false positives, set your Advanced BEC Protection policies to No Action, to exclude them from unnecessary processing, or set them to Hold or Monitor with lower detection sensitivity, to maintain some level of detection or monitoring. See No Action Policies for further information on setup.

Adjusting Detection Sensitivity

Detection Sensitivity can be adjusted to accommodate the unique risk profiles of your organization. This allows you to tailor detection settings for specific groups or users, balancing stricter rules for sensitive areas with relaxed policies for lower-risk systems, for example:

For high-risk users, such as executives or finance teams, consider increasing sensitivity to aggressive settings. This provides additional scrutiny for potentially harmful messages.
Conversely, for automated systems or users prone to false positives, relaxed sensitivity can reduce unnecessary alerts while maintaining adequate protection.
Historical data from the Detection Sensitivity Modeling will help you identify where these adjustments are needed, ensuring your policies align with organizational risks.

High-Volume Inbox Considerations

Inboxes with high email volumes, such as those used by automated systems or customer service platforms, are often less likely to be genuine Advanced BEC threat vectors. Configuring No Action policies for these inboxes can help reduce unnecessary alerts without compromising security.

Examples of high-volume inboxes might include:

CRM tools that process every incoming message, or
Shared mailboxes, such as customer service or support addresses, where messages are automatically routed for processing.

Some key characteristics to keep in mind are that:

These inboxes rarely interact with high-risk entities, like C-level executives, or finance teams.
Messages sent to these addresses are typically transactional and low risk (e.g. order confirmations or service notifications).

Assessing Threat Likelihood

To decide whether a high-volume inbox should be bypassed, ask yourself these questions:

Is this inbox ever used for sensitive communications? For instance, would a CFO or CEO ever email this address with critical instructions?
Could a message sent to this inbox ever resemble an Advanced BEC threat? For example:
- Would anyone believe a fake request for an invoice or gift card purchase if sent to this inbox?
- Is there any scenario where fraudulent activity targeting this inbox would cause harm?

In many cases, the answers will indicate that bypassing these inboxes poses minimal risk.

To configure these settings, add high-volume inbox addresses to the relevant bypass group. Alternatively, adjust the detection sensitivity for these addresses to reduce false positives, while keeping some level of monitoring. By doing so, you can ensure that these inboxes are handled efficiently without compromising the integrity of your security policies.