Business Email Compromise – Prevention Strategies and Best Practices (Part IV)

The best BEC is no BEC

So how do we prevent business email compromises? Thinking we can prevent it all together would be over ambitious. There are no protective measures which are 100% and we are all only people and people make mistakes.

We can use several different mechanisms to, for example, stop the user from receiving the phishing email or to prevent them from following the included link. When things still slip through, we have protective measures like multifactor authentication (MFA) and Conditional Access which can stop an attacker from using the harvested credentials to collect information or to gain a foothold in the environment.

In this part of the series, we look at what tools we have at our disposal in Entra ID and Office365 at the different license levels as well as what we can do to educate the users. Both for prevention but also on how to respond effectively when something slips through.

User awareness is key

Before getting into the technical countermeasures, we must look at where it starts: the email user. Even a “normal” user with seemingly low privileges might be enough to get the attacker what it’s looking for or serve as a stepping stone to compromise a more interesting account.

Teaching users not only how to spot a phishing attempt, but also to understand that even if their account might not be the most interesting or highly privileged it can still be a starting point for an attack that compromises the entire company infrastructure.

Encourage them to pick up the phone and verify whether a link, attachment or payment request was really sent by the sender of the email and not by someone impersonating them.

Users also need to know what to do if they get a suspicious phone call from “helpdesk” with instructions to install a tool for “troubleshooting”, get suspicious external teams messages, receive a suspicious email, click a link from a seemingly normal email where the link takes them somewhere unexpected or only in hindsight to realize they did something they should not have done. There should be clear, easily available instructions for these situations and they should be periodically tested. It’s also important for users to understand that this can happen to anyone since the techniques used by threat actors can be highly sophisticated and all it takes is one simple misjudgement.

Defender for Office 365 Plan 2 (which is included in, for example, Microsoft 365 E5 license) includes an attack simulation feature built into the security portal, where you can run simulated tests to measure and follow up on how your users respond to different attack scenarios. Sending out these simulations to different groups of users is a great way of keeping the users vigilant and testing their attention.

The IT department, legal department and management should have clear procedures already in place. This way, when a user report is received, there are well-defined processes to follow based on the nature of the incident. For example, in all cases where the threat actor has been able to sign in to an email account, personal information – such as email addresses of other employees and customers – have been leaked and the legal team must act accordingly. In other cases where there have been limited actions by the threat actor or if other countermeasures prevented a sign-in, a password reset might be enough.

Protecting against email threats

SMTP protocol protection

All domains you own, whether you use them for email or not, should have at least SPF, DKIM and DMARC configured and enabled:

• SPF (Sender Policy Framework): identifies which email servers or services are allowed to send emails on your behalf. Both domains and subdomains need to have an SPF record.
• DKIM (DomainKeys Identified Mail) Signing: verifies the email message’s integrity. Each emails service needs their own DKIM record.
• DMARC (Domain-based Message Authentication, Reporting and Conformance):
  • Uses SPF and DKIM together with mail headers to determine if the service sending and signing the message is allowed to send messages from the domain specified in the email header.
  • DMARC also includes reporting capabilities and receiving mail servers will send reports to a specified email address with statistics about received messages.

Configure an SPF record which allows no sending servers with a hard fail and DMARC with a reject policy for any domains you own which are not used for sending email so they cannot be used to send spoofed email messages.

This is not only a completely free extension which makes spoofing your domains a lot harder but also improves email deliverability with major providers like Google, Amazon, Yahoo and Microsoft, who are already requiring DMARC to be configured with a quarantine or reject policy if you send a large volume of emails to their services. They will stop delivering messages from unprotected domains once the volume limit is reached.

Microsoft 365 protection

Exchange Online Protection is included with every Exchange Online license. It provides basic protection against spam, malware and phishing but is not recommended to be used as the sole layer of protection for production domains.

If you do not have an external anti-spam solution, Microsoft offers two levels of protection for your domains which safeguard not only your email traffic, but also other M365 services like Teams, OneDrive and SharePoint.

• Defender for Office 365 Plan 1 includes advanced anti-spam and anti-phishing capabilities, including safe attachments and safe links which use advanced methods like sandboxing to verify links and attachments before they are delivered to the recipient. This plan also extends protection to Microsoft Teams, OneDrive and SharePoint – coverage which Exchange Online Protection does not have. While it comes preconfigured with some protection enabled, it is important to configure the features according to best practises to maximise your security. Defender for Office 365 Plan 1 is, for example, included in Microsoft M365 Business Premium which is also part of why Truesec highly recommends at least this license, even for small businesses.
• Defender for Office 365 Plan 2 builds on Plan 1 by adding more protection features for Teams, advanced threat hunting, automated investigation and response and a threat intelligence widget in the portal which visualizes the current threats and campaigns targeting your organization and those like yours. It also includes attack simulation where you can test your users to verify their training and attention regarding incoming threats. Additionally, this plan integrates Defender for Office 365 with Defender M365 XDR which correlates data from other Defender products to enhance the protection of your tenant.

Protecting accounts

With Entra ID Free (included with the basic Office 365 licenses) the only built-in tool you have to protect your identities is the “Security Defaults” setting which can be enabled or disabled on the tenant level. It is enabled by default in newly created tenant but requires to be enabled in older tenants.

Entra ID Plan 1 gives you a lot more flexibility and with this license you get access to Conditional Access Policies (CAP) where you can streamline and protect your users or applications with rule-based protection. You can have different protection criteria based on user, group, role, application, client properties or location. You can enforce, for example, phishing resistant MFA and/or Intune compliance for your most important applications or only allow your high privilege users to log on from certain trusted devices.

This plan also includes Entra Password Protection and Entra Application Proxy. Password Protection helps users to choose secure passwords and stops them from using bad or common ones. Application Proxy works as a reverse proxy and can be used to expose internally hosted services externally without opening incoming traffic to them. This not only minimizes the footprint of your network but also gives you the ability to protect the services by only allowing authenticated users to access them with the added protection of all that conditional access has to offer.

Entra ID Plan 2 extends Plan 1 protection with risk-based conditional access, MFA registration policy and access reviews. In short it gives you even more tools to help your users make good security decisions and will make it harder for an attacker to use their credentials if they despite all the security still leak for some reason.

Summarization

Giving your users the knowledge and tools they need both to protect your company and to know exactly what to do and whom to report suspicious activities to is key when it comes to preventing Business Email Compromise attacks. While there are protections mechanism available in the Office 365 space, you as a company must know which protection you need and make sure you have the correct licensing in place and configure and update the different services to the current best-practises to use their full capability. If needed Truesec can help both with guidance around which capabilities are right for your company, health checks and for hands-on services like configuration and fine-tuning.

Testing both the users, admins and the protection mechanism regularly make sure knowledge is kept up to date and top of mind.

---

Uncovering BEC Attacks – Blog Series Overview

Part I: “HELP! MY ACCOUNT GOT HACKED!“

Part II: The Anatomy of a Business Email Compromise Attack

Part III: Uncovering BEC Threats: How Threat Intelligence uses SOC and IR data