A tale of Business Email Compromise

BEC attacks

A little digression for those who have never heard of Business Email Compromise attacks.

Chapter 1, where we are asked to conduct an investigation

We were approached by companies who had lost out on some payments for their goods and services due to invoice fraud. (We will refer to these companies as victims.)

  • How were the attackers able to jump into an email conversation they had not been a part of at an arbitrary point in time?
  • Why were they able to see the whole message history?
  • Was it the work of an insider or was it an external adversary?

Chapter 2, where we test our initial assumptions

We examined several email threads which had been compromised and saw that as soon as payment transfers came up in dialogue, a third party would get involved. No one took notice because the emails were coming from domains which resembled familiar company names, but were in fact phishing. Our team managed to spot this suspicious activity, but that was the whole purpose of us going through the records. However, your average company employee would not raise any suspicion if they see airbuus.com instead of the conventional airbus.com in the middle of a thread, especially if they see the entire message history tailing below.

Chapter 3, where we assess the scale of the campaign

We got curious about the Mailhostbox + MonoVM hosting combination and decided to look for other domains that could be used in the campaign. For this purpose, we used the internal databases, which include all the domains from www.icann.org, and sampled the domains with the necessary MX, NS and TXT records.

  • the-boeings[.]com
  • airbuus[.]com
  • airbuxs[.]com
  • bmw-my[.]com
  • uksamsung[.]com
  • a-adidas[.]com
  • giorgioarmani-hk[.]com

Chapter 4, where we map out what happened

Using the email field from the SOA record as an indicator for a particular campaign, we compiled a list of domains registered by the attackers for each of the victims who reached out to us.

  • Some were already familiar, we had come across them in the victims’ correspondence with their partners.
  • Others were new and seemed to bear no resemblance to the domains of the victims or the partners. In the context of a BEC attack, we assumed that these domains had been used to compromise the emails. This was confirmed when we found that some of these addresses had been used to deliver phishing emails to the victims.

Chapter 5, where we detail the geography of the campaign

We extracted user email addresses from all the links we found and matched them with company names.

Chapter 6, where we answer any remaining questions

When we received the first account spoofing reports, we wondered how the attackers managed to enter the dialogue at exactly the right moment and retain the entire correspondence. Having established the infiltration vector, we successfully solved these mysteries.

  1. The attackers read the victim’s correspondence with their customers and partners.
  2. After noticing that the conversation was slowly getting to payment issues, the cybercriminals forwarded the required message with the entire story to Phishing address 1 (P1), which is similar to the victim’s address.
  3. From P1, the criminals would write to the victim’s partner.
  4. The partner would reply to P1.
  5. The attackers would then set in motion Phishing address 2 (P2), now similar to the partner’s address. An email that the partner sent to P1 was forwarded to the victim using P2.
  6. The victim simply responded to P2.


BEC attacks are insidious. The only way to protect yourself from the attack described in our article is to ensure that the phishing campaign does not succeed. This is where email spam filters and employee trainings come in handy. There are two other practices which could be very effective for large companies: to register domains that look like the official one so that they do not get registered by the criminals sooner; and to monitor the appearance of domains that look like the official one so that illegitimate ones can be blocked via registrars and hosting providers.



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store


BI.ZONE: an expert in digital risks management. We help organizations around the world to develop their businesses safely in the digital age