May 30 Webinar | SOC Talk: Automating Threat Response
Reduce Alert Noise and False Positives
Boost your team's productivity by cutting down alert noise and false positives.
Automate Security Operations
Boost efficiency, reduce burnout, and better manage risk through automation.
Dark Web Monitoring
Online protection tuned to the need of your business.
Maximize Existing Security Investments
Improve efficiencies from existing investments in security tools.
Beyond MDR
Move your security operations beyond the limitations of MDR.
Secure with Microsoft 365 E5
Boost the power of Microsoft 365 E5 security.
Secure Multi-Cloud Environments
Improve cloud security and overcome complexity across multi-cloud environments.
Secure Mergers and Acquisitions
Control cyber risk for business acquisitions and dispersed business units.
Operational Technology
Solve security operations challenges affecting critical operational technology (OT) infrastructure.
Force-Multiply Your Security Operations
Whether you’re just starting your security journey, need to up your game, or you’re not happy with an existing service, we can help you to achieve your security goals.
Detection Investigation Response
Modernize Detection, Investigation, Response with a Security Operations Platform.
Threat Hunting
Locate and eliminate lurking threats with ReliaQuest GreyMatter
Threat Intelligence
Find cyber threats that have evaded your defenses.
Model Index
Security metrics to manage and improve security operations.
Breach and Attack Simulation
GreyMatter Verify is ReliaQuest’s automated breach and attack simulation capability.
Digital Risk Protection
Continuous monitoring of open, deep, and dark web sources to identify threats.
Phishing Analyzer
GreyMatter Phishing Analyzer removes the abuse mailbox management by automating the DIR process for you.
Integration Partners
The GreyMatter cloud-native Open XDR platform integrates with a fast-growing number of market-leading technologies.
Unify and Optimize Your Security Operations
ReliaQuest GreyMatter is a security operations platform built on an open XDR architecture and designed to help security teams increase visibility, reduce complexity, and manage risk across their security tools, including on-premises, clouds, networks, and endpoints.
Blog
Company Blog
Case Studies
Brands of the world trust ReliaQuest to achieve their security goals.
Data Sheets
Learn how to achieve your security outcomes faster with ReliaQuest GreyMatter.
eBooks
The latest security trends and perspectives to help inform your security operations.
Industry Guides and Reports
The latest security research and industry reports.
Podcasts
Catch up on the latest cybersecurity podcasts, and mindset moments from our very own mental performance coaches.
Solution Briefs
A deep dive on how ReliaQuest GreyMatter addresses security challenges.
White Papers
The latest white papers focused on security operations strategy, technology & insight.
Videos
Current and future SOC trends presented by our security experts.
Events & Webinars
Explore all upcoming company events, in-person and on-demand webinars
ReliaQuest ResourceCenter
From prevention techniques to emerging security trends, our comprehensive library can arm you with the tools you need to improve your security posture.
Threat Research
Get the latest threat analysis from the ReliaQuest Threat Research Team. ReliaQuest ShadowTalk Weekly podcast featuring discussions on the latest cybersecurity news and threat research.
Shadow Talk
ReliaQuest's ShadowTalk is a weekly podcast featuring discussions on the latest cybersecurity news and threat research. ShadowTalk's hosts come from threat intelligence, threat hunting, security research, and leadership backgrounds providing practical perspectives on the week's top cybersecurity stories.
May 01, 2024
About ReliaQuest
We bring our best attitude, energy and effort to everything we do, every day, to make security possible.
Leadership
Security is a team sport.
No Show Dogs Podcast
Mental Performance Coaches Derin McMains and Dr. Nicole Detling interview world-class performers across multiple industries.
Make It Possible
Make It Possible reflects our focus on bringing cybersecurity awareness to our communities and enabling the next generation of cybersecurity professionals.
Careers
Join our world-class team.
Press and Media Coverage
ReliaQuest newsroom covering the latest press release and media coverage.
Become a Channel Partner
When you partner with ReliaQuest, you help deliver world-class cybersecurity solutions.
Contact Us
How can we help you?
A Mindset Like No Other in the Industry
Many companies tout their cultures; at ReliaQuest, we share a mindset. We focus on four values every day to make security possible: being accountable, helpful, adaptable, and focused. These values drive development of our platform, relationships with our customers and partners, and further the ReliaQuest promise of security confidence across our customers and our own teams.
More results...
Editor’s note: This blog is part of our ongoing Email Threats series. Click here to read part one on HTML smuggling.
Remember working life before email? It seems nearly impossible now. Email messages between staff and outside contacts have become critical to business operations, and cyber-threat actors are only too aware of that dependence. By interfering with email, that critical medium of communication, they’re able to perform one of the most common methods of exploiting an organization: business email compromise (BEC). It’s not new, but it’s a significant threat.
In its simplest form, a BEC operator sends phishing emails that lure a business’s employees into paying fraudulent bills. These emails appear to be sent from a known business affiliate, vendor, or colleague, so the recipient tends to trust the sender. Most businesses experience BEC throughout any given year, and the malicious messages are often reported by vigilant users and escalated to a company’s security team, who run playbooks to eliminate any risk to the environment.
Business email compromise attacks are different from other types of cyber attacks because they seek to manipulate a human rather than exploiting a technical vulnerability.
These tactics exploit human emotions like curiosity, fear, and trust to persuade employees to take actions that they wouldn’t normally take. Since humans are often the weakest link in an organization’s security defenses, attackers will try to bypass technical controls by targeting individuals with access to valuable resources.
Attackers can use various methods to pose as someone trustworthy in the instance of a business email compromise attack. One common method is email spoofing, where an attacker creates a fake email address that appears similar to the legitimate one. For example, they might create an email address like [email protected] instead of [email protected].
Another method is social engineering. Attackers may conduct research on their target organization and create a pretext that seems believable. For example, they might gather information about a particular vendor’s billing cycle and then send a fake invoice that seems legitimate.
Attackers also use phishing techniques to trick employees into thinking they are someone trustworthy. They may send an email that appears to be from someone within the company, such as a colleague or a supervisor, and ask the employee to perform an urgent task like initiating a wire transfer. The phishing email will usually contain a link that takes the victim to a fake login page, which the attacker uses to steal their username and password.
Let’s take a look at some of the insights the ReliaQuest threat research team gathered over 2023 in our analysis of clients’ BEC-related events. They feed into key steps you can take over the next two months to shore up your defenses.
In one BEC case, the finance team at a third-party company (Company A) reached out to one of our clients (Company B) to inform their security team that Company A had been receiving fraudulent emails purportedly coming from Company B.. ReliaQuest analyzed the email chain, which showed social engineering tactics. The sender instructed the victim (Company A) to switch from processing payments by check and begin going through the Automated Clearing House Network, a network used for electronically moving money between bank accounts.
In a follow-up email to Company A, the threat actor asked for a response about the payments, stirring up a sense of urgency. But Company A, thankfully, didn’t fall for the lure. Despite the emails not containing links, attachments, or artifacts in the headers that typically trigger prevention or detection measures, the recipient notified our client’s security team at Company B and remediation followed.
In another recent BEC event, ReliaQuest investigated a threat actor who successfully compromised an email account through a credential harvester. After establishing initial access to the account, the threat actor quickly created new email rules to move their own sent messages to the junk folder. This hid the fraudulent activity from the account owner, but it did trigger alerts that enabled mitigation before any emails could be sent or reputation damage done.
ReliaQuest responds to a high daily volume of BEC-related attacks. The malicious emails are usually sent to the staff of finance departments or high-ranking employees. The phishing emails often make it to the victim’s inboxes successfully because the messages lack sophistication and rely on social engineering to trick unsuspecting victims into performing fraudulent actions.
BEC attacks present challenges for young and mature cybersecurity programs alike. Identifying instances is tough: There are few detection opportunities, and defense often relies on the vigilance and savvy of the target. Below, we offer a plan to defend against this threat by developing strategies that will better secure your network over two months.
Enable employees in high-risk departments to identify potential phishing emails. Run security awareness programs and highlight examples or case studies. Inform staff that they may be targeted by BEC emails and that attackers could use their email account credentials to send malicious messages to other businesses.
Ensure that multifactor authentication (MFA) is enforced for all employees.
Create a playbook to alert third-party providers and partners if you receive BEC phishing emails. Think about the example we explored earlier; ensure that a speedy notification can trigger responses that limit the scope of the compromise.
Consider implementing a dual authorization policy in which a manager or co-worker must authorize large payments or banking changes.
Develop detections on high-risk users when inbox rules are created. This will probably result in a lot of false positives, but a tuning period of at least 30 days should increase the fidelity of the rule.
Establish a policy for large money transfers or updates to client banking account information, requiring verification through an additional means other than email (e.g., phone call or other verbal communication).
Is your team drowning in reported phishing emails? The Phishing Analyzer, part of the ReliaQuest GreyMatter security operations platform, can automate the evaluation, remediation, and notification process, leaving your analysts free to focus on higher-priority tasks.
Get a live demo of our security operations platform, GreyMatter, and learn how you can improve visibility, reduce complexity, and manage risk in your organization.