BEC scams are on the rise. Over the last several months, our system has been identifying BEC attacks against our clients on an hourly basis. In this blog we see that attackers are now going beyond spoofing known software vendors like Microsoft by even going after the domains of known email security vendors.

The BEC scam described below is comprised of two layers: spoofing the user’s email address and a phishing attempt to capture Office 365 log-in credentials.

How We Identified this BEC Scam that Leverages Email Spoofing

Perception Point intercepted a Microsoft phishing attempt which was also concealed by spoofing, a BEC-oriented attack. The spoofed address and the cover email were related to Mimecast, a well-known email security vendor. This example is only one of many Mimecast related BEC scams we’ve seen targeting our customers and their key employees.

As you can see, the email was sent from a fake “postmaster” address. The attacker changed the display name, hoping the victim will click the “Personal Portal” link. Once the user clicks on the URL, a Microsoft log-in page appears.

Perception Point intercepted this BEC scam with two detection engines. First, the business email compromise engines identified the attempt to spoof the domain name. Second, the Perception Point propriety image recognition engine detected the attempt to steal the credentials of the end user.

Recommendations for protecting against an BEC Scams:

  1. Employ multiple layers of detection: in this example, the attack was detected by two different layers, both acting as fail-safe mechanisms to one another.
  2. Train your employees to be aware of key attack techniques, including domain spoofing and BEC Scam techniques.
  3. Remember that phishing comes in many shapes (e.g. different phished domains, different text) and sizes (spear phishing or mass campaigns). You need to utilize a system that can detect all types of BEC scams (impersonation-based attacks).

Learn more about Perception Point’s BEC detection here.