Business email compromise (BEC) attacks are on the rise, posing a significant financial and operational risk to organizations. In March, the ReliaQuest Threat Research team reported a nearly 250% increase in observed BEC attacks year over year, while the FBI reported $3 billion in reported losses due to BEC attacks in 2023 alone.

The availability of phishing kits and stolen account credentials has increased, providing more methods for carrying out BEC attacks. Threat actors are also becoming more aware of organizational security measures and finding ways to bypass them. Last year, a novel BEC attack technique was discovered in a customer’s environment that was not yet associated with previously engineered detections, thus bypassing automated monitoring. In this incident, the attackers evaded detection for approximately 24 hours, from initial access to detection and remediation.

Strategic Enhancements Initiated by ReliaQuest

Following remediation, ReliaQuest prioritized the development of the customer’s detection capabilities. The objective was to improve the identification and response to BEC attacks through a comprehensive strategy that focused on rapid detection, enhanced integrations and automated responses. This approach enabled ReliaQuest to drastically reduce the customer’s exposure to threat dwell time. This strategy included the following components:

1. Detection Research:

  • GreyMatter was leveraged to hunt, research, and collect Indicators of Compromise (IOCs) and Tactics, Techniques, and Procedures (TTPs).
  • New detections were engineered and implemented based on the intelligence gathered, enhancing the firm’s ability to identify threats swiftly.

2. Enhanced Integrations:

  • Integration of Identity and Access Management (IAM) tools, specifically Entra ID, facilitated reactive measures to contain successful BEC intrusions.
  • Office 365 email security was integrated as a proactive measure to prevent future BEC intrusions.

3. Automated Response Plays (ARPs):

  • ARPs were deployed to respond to malicious email outlook rules, geographically anomalous remote logins, anomalous tokens, and allowed malicious emails.
  • Automated containment actions—such as session termination and password resets— were swiftly initiated to revoke threat access.

Incident Containment and Response

In March, these refined security measures were put to the test during a subsequent BEC attack. As shown in the timeline below, the enhancements ReliaQuest made to the customer’s detection and response capabilities enabled much faster incident containment and resolution:

  • Immediate Detection and Response: GreyMatter detected a subsequent BEC attack at 12:07 PM EST; by 12:08 PM EST, automated response protocols were activated.
  • Automated Containment Actions: The system automatically terminated compromised IAM sessions and enforced password resets, dramatically speeding up containment: The time from detection to containment was less than three minutes.
  • Proactive Measures: By 2:00 PM EST, the firm blocked the sender and URL in O365 through GreyMatter, preventing further spread of the attack.

By maturing their detections, incorporating more integrations, and developing automated response plays, ReliaQuest significantly improved the customer’s strategy for responding to BEC attacks. The time to contain the threat was reduced to just 2 minutes, a 99.8% decrease compared to the initial incident. The time to resolve also decreased by 88%, with the total resolution time now streamlined to just 2 hours. The effectiveness and reliability of the refined security measures were consistently demonstrated by the 123 automated responses to BEC attacks reported throughout that quarter alone.

Reflection and Insights

This customer’s experience highlights the vital need for proactive security measures in today’s digital environment. By adopting a comprehensive strategy like that implemented by ReliaQuest, organizations can effectively reduce the impact of these increasingly frequent and complex BEC attacks, reducing their mean time to contain (MTTC) and mean time to resolve (MTTR).

These improvements not only facilitated faster threat mitigation, but also enabled ReliaQuest’s customer to confidently demonstrate the value of advanced cybersecurity measures to their board and executive team. It illustrated the strategic benefits of proactive risk management in maintaining operational stability and protecting against cyber threats such as BEC attacks.

Protect against BEC Attacks with ReliaQuest

ReliaQuest provides customers with tailored detection rules through its GreyMatter security operations platform to effectively mitigate BEC threats that identify tool abuse and unauthorized software. Organizations can customize these rules to fit their specific environments, enhancing accuracy and reducing false positives. This customization improves the efficiency of threat detection and response, enabling a more robust and responsive security posture against BEC threats.