Expel Report Surfaces High Percentage of BEC Attacks
A report from managed security operations center (SOC) provider Expel found a spike in business email compromise (BEC) attacks involving Microsoft Office 365 (O365) in the first quarter of 2022.
Well over half of the security incidents tracked by Expel involved BEC attempts on O365 applications, with just under a quarter (24%) experiencing at least one BEC attempt in O365. A total of 8% of Expel customers were targeted more than three times. Only 2% of BEC attempts, however, bypassed multifactor authentication (MFA) by abusing OAuth applications. The report noted that, in this circumstance, an IT team would need to remove the malicious OAuth application and its permissions altogether because resetting the application will not resolve the issue.
The report also found the second most-frequent threats were opportunistic attacks to deploy pre-ransomware or commodity malware (22%). All the incidents used a self-installation attack technique such as zipped JavaScript files, zipped executables and malicious macros in Microsoft Office documents and Excel spreadsheets.
Business application compromise (BAC) via Okta accounted for 6% of incidents. A total of 7% of those BAC attempts in Okta satisfied the MFA requirement by continuously sending Duo push notifications to the victim until they accepted.
Common misconfigurations and exposed long-term credentials accounted for 3% of cloud security incidents.
Finally, none of the incidents identified were from malware deployed to Chrome OS, while none of the BEC incidents identified involved accounts with Fast IDentity Online (FIDO) security keys.
Greg Notch, CISO for Expel, said that, in general, cybersecurity is evolving into an automation arms race that most organizations can’t keep pace with on their own. Cybercriminals are now operating as organized businesses that continually invest in adding additional capabilities, he added. As such, more organizations are relying more on managed security services providers (MSSPs) to level the playing field, noted Notch.
In addition, many organizations also now recognize they need to embrace zero-trust approaches to IT that are easier to implement with the aid of an MSSP, said Notch.
It’s not clear how many more organizations are relying on MSSPs, but as the total cost of cybersecurity continues to rise, many organizations are clearly evaluating their options. There simply isn’t enough cybersecurity expertise available for every organization to hire its own staff. Many organizations today are relying on a range of managed security services to augment their internal IT staff.
In the meantime, organizations should expect both the volume and sophistication of attacks to increase. BEC attacks especially are becoming more difficult to detect because cybercriminals are now monitoring communication flow within organizations before launching an attack that closely mimics other official corporate emails. It’s become much more difficult for the average employee to detect these types of attacks, no matter how much training they may have been given. The best defense, as a result, is to reduce the volume of BEC attacks that land in an email inbox in the first place.
