The Anatomy of a Business Email Compromise

A Business Email Compromise (BEC) represents one of the most insidious and financially damaging cyber threats facing organizations today. Often mistaken for simple phishing, BEC attacks are sophisticated, multi-stage operations that leverage social engineering and compromised email accounts to defraud businesses. Our investigations consistently reveal a patterns of execution, typically unfolding in five distinct acts. Recognizing these stages as they progress is not merely an academic exercise; it is the crucial difference between merely detecting an anomaly and preventing a devastating, six-figure financial loss. Understanding this anatomy is the first step toward building more resilient defenses.

Act 1, Initial Access

The opening act of a BEC often commences with an unsuspecting user falling victim to a highly crafted phishing attempt. This typically involves clicking a malicious link embedded within an email that appears to originate from a trusted source, such as a Microsoft 365 login page or an internal service. Upon clicking, the user is redirected to a meticulously crafted lookalike login page designed to mimic legitimate authentication portals. Here, they are prompted to enter their credentials. Ostensibly, strong authentication mechanisms like Multi-Factor Authentication (MFA) should prevent unauthorized access. However, in many sophisticated phishing campaigns, attackers employ techniques such as MFA prompt bombing or session token interception. In the latter scenario, the phishing page acts as a reverse proxy, capturing the user's username, password, and the legitimate MFA response, effectively bypassing the security control by capturing the valid session token. This allows the attacker to gain unauthorized access to the user's mailbox without needing the actual password for future logins, relying instead on the stolen session.

Act 2, Reconnaissance

Once initial access is established, the attacker's primary objective shifts from gaining entry to understanding the victim's operational environment. This reconnaissance phase is critical for the subsequent success of the BEC attack. For several days, sometimes even weeks, the attacker diligently observes the compromised inbox. Their activities during this stage include:

• Identifying Key Personnel: They focus on pinpointing individuals responsible for financial transactions, such as accounts payable managers or finance department contacts, as well as executive leadership whose email authority carries significant weight.
• Mapping Vendor Relationships: The attacker meticulously reviews email threads to understand existing vendor relationships, noting recurring suppliers, payment frequencies, and typical communication patterns around invoicing. This allows them to identify suitable targets for impersonation or invoice manipulation.
• Analyzing Communication Styles and Templates: They study the language, tone, and standard operating procedures used in legitimate business communications, particularly those related to financial matters. This includes understanding common salutations, disclaimers, and the style of invoice requests or payment confirmation emails, all to craft convincing fraudulent messages later.

This deep dive into the victim's email history allows the attacker to create highly believable scenarios and communications, significantly increasing the likelihood of success in later stages.

Act 3, Persistence

With valuable intelligence gathered, the attacker moves to establish persistence and cover their tracks. During this act, the adversary aims to maintain their access and ensure their subsequent fraudulent activities go unnoticed by the compromised user. The most common tactic observed here is the creation of stealthy mailbox rules:

• Auto-Forwarding Rules: A rule is configured to automatically forward specific inbound and/or outbound emails to an external email address controlled by the attacker. This ensures the attacker remains abreast of ongoing communications, even if their direct access is temporarily interrupted, and allows them to monitor replies to their fraudulent messages.
• Auto-Deletion Rules: Conversely, rules are often established to automatically delete messages that might expose the attacker's presence. This could include deleting "out of office" replies to their malicious emails, or deleting warning notifications from internal security systems that might indicate unusual login activity or email rule changes.
• Moving to Other Folders: Less commonly, rules might move specific messages to obscure folders, effectively hiding them from the user's immediate view, simulating a user tidying their inbox.

These rules are deftly designed to hide the attacker's outbound communications from the legitimate user, preventing the victim from realizing their account has been compromised or that fraudulent emails are being sent from their address.

Act 4, Fraudulent Payment

This is the climactic act where the financial loss typically occurs. Leveraging the insights gained during reconnaissance and protected by the persistence mechanisms, the attacker initiates the fraudulent payment request. The most effective method involves hijacking a legitimate, pre-existing email thread with a real vendor. By replying within an established chain, the fraudulent payment request gains an immediate veneer of authenticity. Key elements of this act include:

• Thread Hijacking: The attacker inserts themselves into an active communication thread between the victim and a known vendor, ensuring continuity and relevance. This makes the communication appear like a natural continuation of an ongoing business discussion.
• Banking Detail Alteration: In their reply, the attacker provides new, fraudulent banking details, often under the guise of "updated bank information," "a change in our financial institution," or "streamlined payment processing." The email is crafted to look virtually identical to legitimate vendor correspondence, mimicking branding, tone, and standard signatures observed during reconnaissance.
• Lack of Out-of-Band Verification: The critical failure point here is often the absence of out-of-band verification. The recipient, trusting the email's apparent legitimacy due to the compromised thread and convincing disguise, processes the change in banking details and subsequently initiates a payment to the attacker's account without performing an independent, secondary verification through a different communication channel (e.g., a phone call to a known vendor contact using a pre-verified number).

The reliance on email for all payment-related modifications, especially for established vendors, is a core vulnerability exploited in this stage.

Act 5, Discovery

The final act, Discovery, typically coincides with the realization that a financial loss has occurred and the initiation of an incident response. This scenario rarely begins with internal detection; rather, it's usually triggered externally:

• Vendor Inquiry: The most common trigger is the real vendor calling the victim organization to inquire about an unpaid invoice. Since the fraudulent payment went to the attacker's account, the legitimate vendor never received their funds. This discrepancy immediately raises red flags.
• Delayed Financial Reconciliation: In other cases, discovery might occur during routine financial reconciliation processes, particularly if the fraudulent payment doesn't align with expected vendor payment schedules or amounts.
• Employee Observation: Rarely, an employee might notice the unusual mailbox rules or unusual email activity, but this is less common given the attacker's efforts to remain stealthy.

Once the discrepancy is identified, an immediate forensic investigation commences to ascertain the scope of the compromise, identify the entry point, and trace the path of the fraudulent transactions, often after the funds have already been moved by the attackers.

What Blocks the Chain

While the BEC kill chain appears formidable, several critical controls, when properly implemented, can effectively break it at various stages. The key is understanding that stopping one act can prevent the entire sequence of events from unfolding.

• Phishing-Resistant MFA Stops Act 1: Deploying phishing-resistant MFA (Multi-Factor Authentication), such as FIDO2 security keys or certificate-based authentication, is paramount. Unlike SMS or push-notification MFA, these methods cryptographically bind the authentication process to the legitimate website, making it virtually impossible for attackers to pilfer session tokens or trick users into approving genuine MFA prompts on fake sites. This completely thwarts the initial access phase, as the stolen credentials or session cannot be used to authenticate.
• Inbox-Rule Monitoring Catches Act 3: Proactive inbox-rule monitoring is a highly effective control. Security teams should implement automated tools and processes to regularly audit user mailboxes for newly created, suspicious forwarding or deletion rules. Any new rule created by an unrecognized IP address, or one that forwards to an external domain not on an approved list, should trigger an immediate alert and investigation. This allows for the timely detection and removal of persistence mechanisms before fraudulent payments are even attempted.
• Mandatory Second-Channel Callback for Banking Changes Stops Act 4: Even if Acts 1 through 3 succeed, a robust internal process for verifying financial changes can neutralize Act 4. Implementing a mandatory policy requiring out-of-band verification for any changes to vendor banking details is a critical defense. This means that if an email requests a change in payment information, the recipient must initiate a call to a pre-verified, known phone number for the vendor (not a number provided in the suspect email) to confirm the change directly. This control is not only the most practical and inexpensive to implement but also incredibly reliable, as it doesn't depend on complex technical systems or user vigilance against sophisticated phishing, but rather on a simple, verifiable procedure.

While each of these controls offers a significant deterrent, it is important to emphasize that even one effectively implemented control can suffice to break the kill chain. However, the third control, requiring a second-channel callback for any banking information change, stands out as the most accessible, cheapest, and most reliable safeguard against the ultimate financial impact of a BEC attack. It is a procedural control that provides an essential human check to an otherwise technically sophisticated fraud.