Last week, I wrote about how cybercriminals are looking to trade corporate emails in their pursuit of conducting Business Email Compromise scams (BEC). In particular, these individuals sought the credentials of CFOs, CEOs, and accounting and finance departments. However, as our latest report, Pst! Cybercriminals on the Outlook for Your Emails, shows, many of these credentials have already been exposed through through breaches or leaks of third party sites.

One approach to conducting BEC is to gain access to a corporate email account directly (shown in Figure 1). Recent research found that 44% of organizations were victims of targeted email attacks launched via a compromised account.


Figure 1: One approach to conducting Business Email Compromise


Once the company email account is compromised, the attacker will hijack the account to make fraudulent requests to colleagues, accounting departments and suppliers. Once inside a business email account, the attacker can perform reconnaissance by searching the mailbox for targets as well as learning how money moves around the organization. Another popular tactic is to alter mailbox rules so that the victim’s email messages are forwarded to the attacker, or emails sent by the attacker are deleted from the sent list.


33,568 Exposed Credentials

In order to understand the extent to which email accounts of finance departments are exposed, we searched for compromised credentials in our data breach repository. Digital Shadows (now ReliaQuest)’ breach repository holds nearly 5 billion credentials exposed through more than 280,000 different data breaches and leaks, obtained from a variety of open and closed sources.

By searching for known email formats of finance departments such as “[email protected]”, “[email protected]”, “[email protected]”, “[email protected]”, “[email protected]”, we detected over 80,000 credentials. After duplicates and personal email addresses were removed, this left 33,568 exposed finance department email addresses – eighty-three percent (27,992) of which had passwords associated. This exposure was global in nature, as shown by the distribution of Top Level Domains (TLDs).


Top Level Domain Credentials Exposed
.com 18,163 4,953
.au 4,855
.za 3,000
.de 404
.edu 116
.nl 61
.my 48
.gov 24
.hk 23
Total 33,568


What about Multi-Factor Authentication?

There are, of course, measures that organizations can implement that will hamper the success of these account takeovers. These include implementing multi-factor authentication (MFA) and single sign-on solutions (SSO). However, there have been reports about the ability to bypass single sign-on or MFA and use brute force methods to steal corporate Microsoft Office 365 login credentials and log into enterprise systems.

In addition to implementing MFA, there are various email controls help to limit BEC campaigns. The three email authentication standards DMARC, DKIM and SPF can help other organizations to recognize fraudulent emails purporting to come from your domain. SPF controls who is allowed to send from your domain, DKIM ensures that sent emails are authenticated, and DMARC what others should do about reporting spoofing attempts. This will go a long way to helping protect against BEC, although it should be noted that these controls will not help against attackers spoofing domains with a variation on the original domain – for example, these will help to deal with google[.]com spoofing but not google-email[.]com.

With the large number of accounting and finance email credentials exposed, organizations should detect when their accounting emails are compromised, and ensure the passwords are not re-used for corporate accounts. Furthermore, finance departments should limit the extent to which they sign up for third party services with the department email account. To read more about BEC, download a copy of our latest research report, Pst! Cybercriminals on the Outlook for Your Emails.

We’ve also created an infographic around our BEC research. Here are 5 ways that cybercriminals gain access to emails without conducting a phishing campaign or network intrusion.


To stay up to date with the latest digital risk and threat intelligence news, subscribe to our threat intelligence emails here.


Photon logo small