Business Email Compromise – Update

Business Email Compromise – Advisory

Business Email Compromise (BEC) attacks are increasingly prevalent. While there are several varieties of BEC attacks, the majority manifest themselves as follows:

A phishing email is sent to an intended target. The target is prompted to enter their credentials on a website, after which the attacker gains access to their mailbox. 

Typically, a forwarding rule is created to send emails to an external mailbox, RSS feed, or a different subfolder.

This flow of emails is monitored. When an invoice email is seen, the attacker may attempt to hijack the conversation. Precisely how this is done depends on the account they have compromised and whether the organisation is receiving a payment or needs to make a payment.  Often there will be a request to change payment details, resulting in money being paid into the attacker’s account. 


What can your organisation do to prevent a BEC attack?

  1. Have a good process for changing any payment details that does not involve emails, or information contained in an email.
  2. Enable Multi Factor Authentication (MFA) when using o365. Should credentials be compromised, the user will be prompted to supply their MFA at a time when they are not expecting this. The attacker will be denied access to the account unless permission is provided.

Recently, it was discovered that accessing a mailbox was possible in some instances, despite MFA being enabled. Following an investigation and subsequent testing, it was found that o365 mailboxes could be accessed using protocols other than the standard protocol used by your outlook client.

This was the case when IMAP and POP3 protocols were being used to access o365 mailboxes.

When either of these protocols are used, only the standard UserID and password are required to access the mailbox. There is no prompting for MFA.

Whilst a UserID and password help limit attackers, accessing email through IMAP and POP3 circumvents the MFA that’s enabled on o365 accounts.

Whilst Microsoft does encourage tenants to disable legacy authentication methods and protocols when enabling MFA, it’s currently not the default. Many organisations still have these protocols available for use on all mailboxes.

So, in addition to switching on logging, enabling MFA and having good processes when dealing with payment changes, it is also preferable to switch off IMAP and POP3 on all user accounts in o365.(1)

However, before doing so, there are a few things you need to keep in mind:

  • You may have service accounts that access particular mailboxes using IMAP or POP3 as part of a business process. You may need to make an exception for these mailboxes.
  • Older Android phones may access o365 using IMAP or POP3.
  • Mail applications on IOS (excluding apple mail and outlook) may use IMAP or POP3
  • Integration between different cloud services that use email, may use one of these two protocols to access the mailbox.

In other words, take care when disabling IMAP or POP3. However, doing so will help protect your organisation from a BEC attack that uses this particular approach. 


(1) You can do this using the exchange portal under


Phishing Awareness Training & Simulation Program 

Phishing awareness training is a scaleable, cloud-based phishing awareness and simulation program developed by certified cybersecurity professionals at specialist information security services provider Shearwater Solutions. Phriendly Phishing benchmarks employees’ existing phishing knowledge (before deploying educational modules), tests improvements and supports re-education. This journey-based approach encourages users to reach milestones and includes an option to gain practical experience with simulated phishing campaigns. It is these features that make Phriendly Phishing both engaging and extremely effective, and through ongoing research and practical experience in the field, Phriendly Phishing developers ensure that training remains current with real-world phishing threats and techniques.