The fourth edition of Cyber Signals, Microsoft’s cyberthreat intelligence brief spotlighting security trends, saw a 38% increase in Cybercrime-as-a-Service utilizing business email compromise (BEC) between the 2019 and 2022.

Cybercriminals lure workers through BECs knowing that the deluge of emails can sometimes be overwhelming and recipients can be complacent at times. 

Microsoft Threat Intelligence detected 35 million BEC attempts, with an average of 156,000 attempts daily during the period of April 2022 and April 2023. These data are gathered from Microsoft’s 43 trillion daily security signals and 8,500 security experts.

Microsoft Security Copilot leverages AI to boost cyberdefense
Linking of IT systems poses risk to critical infrastructure — Microsoft

“BEC attacks offer a great example of why cyber risk needs to be addressed in a cross-functional way with IT, compliance, and cyber risk officers alongside business executives and leaders, finance employees, human resource managers, and others with access to employee records,” Vasu Jakkal, corporate vice president, security, compliance, identity, and management at Microsoft, said in a statement. 

BulletProftLink

The technology company saw that BulletProftLink, a large-scale phishing-as-a-service operation, continues to launch industrial-scale malicious mail campaigns. It sells end-to-end services including templates, hosting, and automated services for BEC.

Microsoft noted that while it is called BEC, threat actors expand their phishing attempts through phone calls, text messages, e-mails, or social media outreach. 

“While threat actors have created specialized tools to facilitate BEC, including phishing kits and lists of verified email addresses for targeting C-Suite leaders, accounts payable leads and other specific roles, there are methods that enterprises can employ to pre-empt attacks and mitigate risk,” the company said.

Zero Trust

Microsoft encourages businesses to leverage AI-based cloud apps to boost their cyber defenses. These apps are also equipped with advanced phishing protection and suspicious forwarding detection.

“Crucially, businesses need to secure identities to prohibit lateral movement by controlling access to apps and data with Zero Trust and automated identity governance,” Microsoft said. 

Microsoft said businesses can shift from email invoices to a system specifically designed to authenticate payments to ensure the reduction in fraudulent activities. 

“Continuous employee education plays a vital role in equipping them to spot fraudulent and malicious e-mails, such as a mismatch in domain and email addresses, as well as understanding the potential risks and costs associated with successful BEC attacks,” Microsoft said.