Microsoft Reveals BEC Scope, Scale, Variety
5–22–2023 (Monday)
Hello and welcome to Cyber Risk at Deal Speed, your weekly video update on the one big thing in cybersecurity for private equity investors and the management teams of their portfolio companies.
I’m your host, Shay Colson, Managing Partner for Cyber Diligence at Coastal Cyber Risk Advisors, and you can find us online at coastalcyber.io
Today is Monday May 22nd, and I hope that everyone has a good week heading into the long Labor Day Weekend (it’s already Victoria Day for my Canadian friends). The unofficial start of summer is just around the corner.
Microsoft Reveals BEC Scope, Scale, Variety
This week’s One Big Thing is a new report issued by Microsoft’s Digital Crimes Unit that peers into the scope and scale of Business Email Compromise that they are seeing - and defending against - inside their M365 / Outlook Online environments.
As a reminder, Business Email Compromise is a type of social engineering that uses fake emails to try to extort access, money, and data from targeted individuals.
Let’s run down the numbers, briefly:
35M BEC Attempts Annually (just in Microsoft’s environments alone - there are no doubt more when you look at Google’s GSuite and other email providers
156K/day
417,678 Phishing URL takedowns, those domains being used to attempt these attacks
$2.7B of losses last year (which only includes reported attacks - certainly more that weren’t reported)
What really stands out here is the sheer volume. These attacks range from automated to highly sophisticated, but the attackers have to be right only once. It behooves them to drive volume, and automation on these attacks.
Tool kits and “-as-a-Service” offerings are helping them accelerate their reach, and their deployment methods are helping them fly under the radar of defenders and be more successful. This includes techniques like using residential IP addresses that are physically near the target to avoid “impossible travel” detections - those time when a user logs in from one location, then in a short period of time the attacker logs in from another location that’s impossible to travel to in that time window - like Russia.
The variety of phishing attacks used in BEC are also growing - and now include not just lures for credentials, but payroll attacks, invoices, gift cards, and targeted business information.
Companies of all sizes are targeted and impacted by these attacks - with industrial control system cybersecurity specialist Dragos detailing their own incident this past week, centered around attackers compromising a new employee’s email during their onboarding flow to gain access to company confidential information. The attackers attempted to extort Dragos, but failed.
So how should we defend agains this? While there are technical controls that you should employ within your mail and network environments (and obviously Microsoft offers many of these in their M365 service, which is part of the reason why they’re publishing this report), there are other, non-technical controls that I think are worth talking about.
Two in particular:
Company-Wide Security Culture. At the end of the day, BEC is a social engineering attack - meaning it exploits the human in the loop more than the technology itself. By building a company-wide security culture that focuses on awareness of these issues, supports employees raising questions or concerns (even when there are the inevitable false-positives), and working to demonstrate that everyone at the firm, from the bottom to the top, has a role to play in this, you can put yourself in the best possible position to identify these issues early, before it’s too late.
Processes (And The Willingness To Enforce Them). Building on item 1, processes that require additional validation - i.e. before sending out a wire transfer or changing a payment account / routing number, should be well defined and in place for anyone with this capability. Additionally, these folks need to know that they’re not going to get reprimanded for slowing things down when they follow the process. Threat actors often engage in high-pressure negotiation tactics by impersonating the CEO and telling them that nobody else can know about this transfer request. By demonstrating - consistently, and over time - to your employees that these processes are in place for a reason, and that we not only expect you to follow them but will always support and back you in doing so - you can prevent a significant number of these attacks from happening when employees feel pressured to act.
This is a threat that you’re largely able to defend against at little to no hard-dollar cost, and something that we should all be mindful of as we continue to grow our businesses.
Fundraising
Relatively light week of fundraising, with just over $5B in newly committed capital. I will note that there was a good variety of funds announced this week, in both size and focus, as well as geography. There were more funds announced this week than the last three weeks, which gives us an uptick in cadence, even if it’s not an uptick in overall commitments.
What does this mean for the market at large? I suspect it’s mostly a play to nail the niche - whether that’s a particular industry or vertical, a stage of company, or even a type of founder - including Softbank’s Opportunity Growth Fund, which announced $150M to invest into Black and Latino led startups.
You can find all the links to the stories we covered in the comments section below, find back issues of these videos and the written transcripts at cyberriskatdealspeed.com, and we’ll see you next Monday for another edition of Cyber Risk at Deal Speed.
Links
https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RW14o4H
https://www.securityweek.com/dragos-says-ransomware-hackers-failed-at-elaborate-extortion-scheme/