The sharp rise in business email compromise (BEC) and similar cyberattacks has many organizations scrambling to protect themselves. MSSPs are key to tracking and slowing down these persistent cyberattackers.
Todyl researchers have documented a sharp rise in BEC and similar cyberattacks and detailed a sprawling infrastructure of thousands of hosts in the United States and other countries operated by a threat group dubbed the Söze Syndicate.
The growing BEC numbers and Söze Syndicate case are reflections of the changes in the IT environment and among the bad actors that are fueling the expanding threat, according to David Langlands, chief security officer at Todyl, whose security platform is used by businesses and MSSPs.
They also explained the steps organizations must take to better protect themselves and the reasons MSSPs are key to tracking and slowing down the hackers.
“This year, we've seen a shift away from ransomware and targeting endpoints to targeting cloud environments, specifically email,” Langlands told MSSP Alert. “That's why we've noted there's been almost a 558% increase in account takeover attempts and business email compromise attacks that we see.”
Visibility is Key
Todyl caught onto the Söze Syndicate after seeing the surge in AiTM, account takeover, and BEC attacks and detecting a pattern of access attempts coming from a small hosting provider and targeting Microsoft 365 services. They kicked off a red team hunt that involved analyzing Microsoft 365 and Azure logs, correlating Microsoft 365 and Azure logs with their own behavioral analytics, and merging data from the hunt with previous findings.
The ability to collect and analyze such vast amounts of data is critical for uncovering and analyzing such modern security threats, which companies like Todyl and larger MSSPs can do, Langlands said.
"It's really more about having that visibility,” he said. “Even at some of the larger organizations I've worked for, they might have had 10,000 or 100,000 endpoints they were protecting, but all part of one organization. It's better to have more organizations, more domains, more endpoints, and more discrete customers that you're protecting than it is necessarily more endpoints because that's where you start to see these patterns of email-based attacks.”
Todyl, with thousands of MSSP partners each serving up to hundreds or thousands of businesses, can draw on a vast amount of data to detect cyberthreat activities like those of the Söze Syndicate. However, even smaller MSSPs that don’t have hundreds of customers can partner with others to get that broader coverage, which is important because “you really do need a broad lens to pick up on these email threats and cloud-based threats,” he said.
A Growing Threat
Organizations shouldn’t expect a slowdown any time soon. As with any other cybercrime, the bottom line with BEC is that it’s lucrative, which bad actors won’t walk away from. “It's clearly paying off for them,” he said.
Other cybersecurity firms also see a growing BEC wave. Abnormal Security noted that the frequency of BEC attacks in 2023 doubled year-over-year, with monthly attacks per 1,000 mailboxes reaching 10.77. Barracuda Networks found that BEC attacks accounted for more than one in 10 social engineering attacks. In its 2023 Internet Crime Report, the FBI noted that BEC was the second costliest cybercrime, resulting in $2.9 billion in reported losses.
BEC is aimed at enticing victims to send money or share sensitive information. Bad actors use phishing or other means to gain initial access and then account takeover techniques to get control over a victim’s online account.
“Business email compromise ... gets into the social engineering aspect of it, where you're trying to trick the user or some other contact of the user into making a financial payment or taking some sort of action,” Langlands said. “Once you have access to somebody's email account, and you have all the other accounts in that particular company, you now have potentially all of their contacts, and you can just jump from company to company.”
A More Sophisticated Enemy
Threat groups running BEC campaigns have become more sophisticated. They’ve found ways around multifactor authentication (MFA) and other protections and are using AI-based tools that make crafting emails, texts, and other content faster, easier, and harder to detect. AI also makes it easier to shift through all of the data they’re looking at.
“You don't have to have a human, for example, read through all the emails,” Langlands said. “You can write a tool that looks through a massive amount of data and says, ‘Where should I look for payment information? Where should I look for anything? Who in this organization is responsible for accounting?’ … You can ask those types of questions in natural language, whereas before, they would have to write some code to actually put that all together.”
Attackers also have become less “noisy.” Where once it was easy to detect their presence because of the techniques they used, now they will hide in email accounts for months, biding their time before jumping into conversations and changing payment details on an invoice, lines in a spreadsheet, or a number of an account, he said.
In addition, bad actors have been helped by the enterprise shift away from using on-premises email servers to using cloud-based email platforms like Microsoft 365 or Google Workplace, which makes administration easier but puts everything in one place.
“If I have your Microsoft identity, if I can log in as you, I can pretty much do anything, not only on your email platforms but also on potentially a great deal of your SaaS platforms [and] your customer relationship management [systems],” he said.
A Look Behind the Curtain
Todyl researchers’ investigation into the Söze Syndicate, documented in a report released in September, gave them greater insight into how these gangs operate and how much money is involved. They uncovered massive infrastructure operating from thousands of hosts across myriad regional and local internet service providers (ISPs) in the United States and other countries. The Söze Syndicate had accelerated its efforts throughout the summer, at one point accounting for 65% of all the attempted BEC attacks Todyl saw.
It targeted small businesses and midmarket companies using tactics to avoid detection and bypass MFA and advanced impersonation techniques to compromise accounts. Its strategies ranged from AiTM to SharePoint phishing to installing rogue applications.
“It's paying off ... [if ] they're willing to keep up an infrastructure and maintain an infrastructure of over 5,000 virtual systems here in the United States,” Langlands said. “That's not a trivial amount of money to keep that type of a platform up and running.”
Todyl researchers tracked down other similar operations, though they didn’t have the scale of the Söze Syndicate, he said.
