Microsoft Shows How Business Email Compromise Attacks Are Quick

We all the understand the risk that comes with cyberattacks. Hackers are sophisticated, calculated, and ruthless, with the goal of taking as much data and money from victims as possible. However, these attacks may be even more dangerous than previously thought, with some steps of the attack taking just minutes to complete. According to research from Microsoft’s Security Intelligence team,
March 14, 2023
 / 
meritsolutions
 / 
Image

We all the understand the risk that comes with cyberattacks. Hackers are sophisticated, calculated, and ruthless, with the goal of taking as much data and money from victims as possible. However, these attacks may be even more dangerous than previously thought, with some steps of the attack taking just minutes to complete.

According to research from Microsoft’s Security Intelligence team, an entire business email compromise attack can take only hours, including everything from signing into accounts with stolen credentials to taking over an email thread. When steps can take only minutes at a time to run through, it makes it that much more difficult for victims to know they’re actually being attacked. By the time they’ve noticed something’s wrong, the entire attack may already be over.

To be clear, business email compromise attacks are when an attacker breaks into an email account via phishing, tricking victims, or purchasing stolen account login credentials online. Then, the attacker pretends to be a “trusted individual,” like a boss or other authority figure, in an attempt to confuse the victim into okaying a fake wire transfer request. The FBI says these attacks resulted in over $43 billion in losses between 2016 and 2019.

Using an adversary-in-the-middle attack, one hacker was able to break into an email account by skipping over MFA protections, then spent roughly two hours scouring through emails for threads to take over. This tricks the victim into thinking an email is being sent from a previous thread, when really it was sent by a hacker just now. The victim then clicked on a fraudulent URL that looked legitimate, changed an inbox rule to move emails to a particular folder, then sent an email to the other victim, requesting a wire transfer. They then deleted the sent email to cover their tracks. This scheme took 127 minutes in total, so most of the attack took place during the initial email thread search.

Luckily, Microsoft Defender noticed the issue 20 minutes after the sent email was deleted, disabling the user’s account before the damage could be done.

Photo by Stephen Phillips – Hostreviews.co.uk on Unsplash

Share This

Leave a Reply



Sign Up for weekly MERIT Security Briefing

By signing up, you agree to our Privacy Policy.