Some Ways that Microsoft 365 Administrators can Protect Against Business Email Compromise (BEC)

Overview:

According to the FBI, business email compromise (BEC) is one of the most financially damaging online crimes.[1] It is also perhaps one of the tricks that even the savviest businessperson may fall for. Email account compromise (EAC) is a closely related tactic. This article examines some ways in which Microsoft 365 administrators can lower the likelihood of their company from succumbing to such an attack.

How a BEC Scam Plays Out:

This is how a typical BEC or EAC scam plays out, in brief.

1. An employee at the company receives an email from a person that they are seemingly familiar with, such as a current customer. The email may look very convincing and may either be from a spoofed (or similar looking) domain, or may actually be from the company itself through the use of stolen login credentials (EAC). Often the employee receiving the email has a job function relating to billing, accounting or finance. In the case of stolen credentials (EAC) the email may come from the real email account associated with a current or former customer.
2. The email requests some sort of urgent action. In the article, “Business Email Compromise (BEC)”, by Proofpoint, they mention that the FBI has defined “5 major types of BEC scams”:[2]
   • CEO fraud. The attackers impersonate a high-level executive usually within the finance department and request funds to be wired to a bank account controlled by the attacker.
   • False invoice scheme. The scammer acts as if they are a legitimate supplier requesting payment for an invoice.
   • Account compromise (EAC). A vendor’s, customer’s, or employee’s email credentials are compromised and used to request payments from vendors. In the case of EAC, the stolen credentials will often go unnoticed for an extended time period during which the attacker monitors and collects information from within the email account for use later in the scam.
   • Attorney Impersonation. The attacker impersonates an attorney or law firm through the use of official looking emails and documents. For example, an email may be received by a marketing employee requiring payment for the use of a certain image that was used on a web page or email campaign without the proper licensing. Note: Companies can receive real requests like this as our company did many years ago through the careless use of a stock photo.
   • Data theft. The attacker attempts to obtain personal and privileged information about an employee for use in a future scam. This could perhaps take the form of a reference check in which you would be asked to provide an employee’s social security number, home address, email address, or other sensitive information.

 

Common Scam Tactics:

These are some things to keep in mind when evaluating the potential truthfulness of any suspect email. Further details about each are given below.

1. The use of official images and logos that seem out of place.
2. A sense of urgency.
3. The email contains an attachment of something like an invoice or other invoice file.
4. The email contains an embedded link which, when clicked requires the user to sign into some popular service such as Office 365.

The use of official images and logos that seem out of place.

Official logos and other images can be used to provide legitimacy to the scam. Our company received the following BEC scam email:

Notice the unusual use of the Office 365 logo, which was done in order to add a degree of legitimacy to the obvious scam.

A sense of urgency.

The email demands some sort of urgent action such as opening an attachment or logging into a web site in order to confirm your credentials. Our company received this scam email:

The email contains an attachment of something like an invoice or other invoice file.

Often in order to open the attachment a password will be required and that is sometimes included in the email message. Does it make any sense to require a password to open a document but then include the password in the same email message? This should cause you to question the validity of the email immediately.

The email contains an embedded link which, when clicked requires the user to sign into some popular service such as Office 365.

Our company received the following email from a scammer:

Notice how the scammer included a Microsoft and OneNote logo along with an official sounding company name.

Here is another example of a scammer’s email sent to our company which incorporates many of the concepts listed above:

Could a busy accounting employee fall for the scam by clicking through to the attached link and then provide login credentials for some application like their email account?

Some Ways that Microsoft 365 Administrators can Protect Against BEC

The following list provides some ways in which a Microsoft 365 administrator can protect, to at least some degree, their organization from falling prey to a BEC scam. Some of these recommendations listed at the bottom of the list go beyond BEC but are things that we recommend for any company using Microsoft 365.

1. Implement multi-factor authentication for every employee’s Microsoft 365 account. Our company recommends either the use of the Microsoft Authenticator app for Android and iPhone, or for more security conscious employees the use of Duo’s MFA system and the Duo Mobile app for Android and iPhone. Duo solves what can become a huge problem for companies, phantom authentication requests. Since many employees have more than one device, they may respond to an MFA challenge by responding to an authentication request on their smart phone through the Microsoft Authenticator app. They may assume that this must be one of their devices trying to authenticate. This is because the Microsoft Authenticator does not provide any information about the authentication request other than just presenting it and asking for an answer. Duo eliminates the uncertainty in these requests by providing information about which application is requesting authentication and where the request is coming from.

Regarding Duo, there are two ways to implement this MFA application. The first is just to use the Duo smart phone app the same way you would use the Microsoft Authenticator by just scanning the barcode and adding the account. This method is easy to do, however the second and preferred method involves adding a conditional access policy in Azure.

2. Train your users. You can develop a simple training system in your learning management system, send out regular educational emails, or have your users attend an online cyber security course.
3. Confirm the Sender Protection Framework records as implemented for the domain and use an “-all” record as a hard fail directive. Microsoft 365 can make this difficult because of the number of DNS entries eaten up by the base directives. However, most companies will find that they can work around the ten record DNS lookup limit for SPF records by using the IP address of possible senders. Every email administrator will want to use the very popular and intuitive Kitterman SPF record tool to validate their SPF records. For that matter, another other very useful email tools can be found at MX Toolbox.
4. Implement DKIM signing of email messages and a DMARC policy set to reject. This is an easy step for administrators to take which helps to verify the validity of email messages being sent by the company.
5. License the comprehensive security features available in the Microsoft 365 Enterprise licenses, including Advanced Threat Protection and Windows Defender ATP. This will provide a much higher filtering level for email and also other layers of protection, including Anti-phishing, anti-spam, anti-malware, safe attachments, and safe links.
6. Enable audit logs in Microsoft 365. CSO Online has provided some nice instructions in their article.
7. Implement an App Locker policy which disables Windows PowerShell for users not requiring its use. We wrote an article about this on this same blog.
8. Implement a rule in Microsoft 365 Exchange, which rejects incoming messages from outside of the company, but using the company domain and which fail the SPF directive.

The directive will look like this:

If the message…

‘Authentication-Results’ header contains ”header.from=mycompanysdomain.com”

and ‘Authentication-Results’ header matches the following patterns: ‘spf=softfail’ or ‘spf=none’

and Is received from ‘Outside the organization’

Do the following…

Delete the message without notifying the recipient or sender

And another directive, something like this:

If the message…

sender’s address domain portion belongs to any of these domains: ‘mycompanysdomain.com’

and ‘Authentication-Results’ header matches the following patterns: ‘spf=fail’ or ‘spf=permerror’

and Is received from ‘Outside the organization’

Do the following…

Delete the message without notifying the recipient or sender

Except if…

Is received from ‘thistrustedcustomerdomain.com’ or ‘thatdomain.com’

 

8. Terminate the use of POP3, IMAP, and Authenticated SMTP on every Microsoft 365 account. Instead, for those use who require the ability to send email through SMTP implement an SMTP service (on a static IP address) through one of the common providers such as Amazon SES or Mailjet.
9. Implement an email rule which blocks executable content received from outside of the company. That directive will look like this:

If the message…

Is received from ‘Outside the organization’

and includes an attachment with executable content

Do the following…

Set audit severity level to ‘High’

and Delete the message without notifying the recipient or sender

 

10. Implement an email rule which flags email messages containing certain common email attachments (especially those capable of running macros). The message that is to be prepended should contain wording warning not to open attachments from untrusted sources.
11. Regularly review the Azure Active Directory login to watch for failures. An even better approach is to use a fantastic tool called AdminDroid which will perform regular audits for you and send them in an email message.
12. Implement the MS Defender app for all managed iPhone and Android smart phone devices.

Closing Comments:

Just as I was finishing my first draft of this blog post a finance employee in our company forwarded the following email that they thought was suspicious. They remarked that I had trained them well! They then used the reporting feature in Microsoft 365 to create a report which triggers an administrative investigation in Microsoft 365.

Business email compromise can occur at any moment. Make sure you take the adequate steps and measures to protect your company from BEC.

End Notes:

[1] FBI, https://www.fbi.gov/scams-and-safety/common-scams-and-crimes/business-email-compromise cited 10/18/2021.

[2] Proofpoint, https://www.proofpoint.com/us/threat-reference/business-email-compromise cited 10/18/2021.