Member-only story
Featured
Two Months Undetected: A BEC Scheme Lurking in Plain Sight
Lessons from a Cyber Threat Defense Manager
After what seemed like weeks of non-stop meetings, early mornings, late nights, and no shortage of investigations, today was supposed to be a quiet day to catch up on email and get some much-needed tasks started…I should’ve known that wouldn’t pan out as I expected.
I had been running some errands, taking advantage of the open morning schedule to get a few personal things done (perks of a flexible work-from-home culture), when I received a message from a member of my team. We’d received a report from an employee that they’d learned of a business email compromise (BEC) situation involving a partner organization.
With the email threads provided to us, we were able to quickly ascertain that yes, our employees had been unknowingly communicating with a threat actor via a compromised email account.
The kicker? The account compromise had occurred in late January!
While the correspondence from the threat actor was sophisticated, a few red flags were missed:
- The threat actor injected themselves into an existing email thread, but changed the Subject on their reply; this is a technique used alongside mailbox rule creation, where the individual creates rules…
