Business Email Compromise Time to detect: 19 minutes
In this real-world response timeline, we walk you through an email account takeover, a form of BEC, on a customer in the manufacturing industry, and how the Arctic Wolf Security Teams detected the attacker in only 19 minutes with the dedicated team of security experts investigating and alerting the customer in less than 10 minutes.
View Timeline Navigation
12:57 p.m.
Source: Adversary
The impact of email account takeover
Organizations rely on email to conduct business, communicate, share information and set meetings on a daily basis. Business email compromise (BEC) is an unsettlingly common method of attack for attackers and can have a huge impact on your business.
12:58 p.m.
Source: Duo
The impact of email account takeover
1:16 p.m.
Attacker Active
Attacker opens existing calendar event for “Best Practices Training” and updates with their own information.
Attacker begins adding forward and delete rules to [USER 01] inbox.
1:16 p.m.
Active: Office 365 Logs
1:18 p.m. | Following Investigation
Investigation Begins
The Arctic Wolf Triage Teams begins investigation into [USER 01] activity.
1:22 p.m.
Ongoing Investigation
Attacker's Access
Attacker uploads phishing PDFs to OneDrive with intent to distribute emails to calendar invite attendees.
1:25 p.m.
Begin Escalation
Begin Post-Incident Zone
1:25 p.m.
Remediation
[CUSTOMER] confirms that [USER 01] has been compromised and disables the account.
The Arctic Wolf Concierge Security® Team works with the customer to check log data for any customer users accessing phishing PDF. CST confirms remediation took place before any users accessed the PDF. CST assists customer in remediating actions taken by the adversary.
Next, the security journey continues
Attack Timeline:
with our concierge security team
The Arctic Wolf Concierge Security® Team works with customer to check log data for any customer users accessing phishing PDF. CST confirms remediation took place before any users accessed the PDF. CST assists customer in remediating actions taken by the adversary.
The Arctic Wolf Concierge Security Team provides your team with coverage, security operations expertise, and strategically tailored security recommendations to continuously improve your overall posture.
Real-World Examples
BEC Fraud Comes In Many Forms
In the example above, credentials were stolen via phishing email. Do you think you or your company’s employees could spot the various types of email compromise methods that have been used in different attacks?
Account Compromise
Data Theft
An attacker targets HR and finance employees to obtain personal or sensitive information about individuals within the company, such as CEOs and executives. This data can then be leveraged to enable future cyber attacks.
In rarer instances, an attacker masquerading as a customer or vendor may ask a recipient (e.g., in a legal or technical role) to send intellectual property or other sensitive or proprietary information.
CEO/Executive Fraud
An attacker masquerading
as the CEO or other
senior executive within
an organization emails an
individual with the authority
to transfer funds, requesting
a transfer to an account
controlled by the attacker.
Attorney Impersonation
Product Theft
False-Invoice Scheme
The losses incurred from business email compromise attacks have increased *58% between 2020 and 2023.*View Source
In the new normal of hybrid wok environments, account takeover risk is more serious than ever.
