A recent Business Email Compromise (BEC) investigation has uncovered a highly sophisticated attack that went beyond traditional email fraud. Instead of simply sending fraudulent emails in hopes of deceiving victims, cybercriminals strategically exploited the implicit trust between three business partners—Partner A, Partner B, and Partner C.
By infiltrating an email server, they gained full visibility into ongoing transactions and used this access to manipulate communications and divert funds into their own accounts.
The attack unfolded in two distinct phases. Initially, the threat actors gained control of a compromised third-party email server, which they used to send fraudulent messages.
Unlike typical phishing scams, this attack was highly calculated. The attackers carefully studied the writing styles of their targets, replicating common phrases, salutations, and email footers to make their messages appear authentic.
A key tactic in this attack was the gradual replacement of legitimate email recipients with addresses controlled by the attackers.
Over time, they subtly altered the email chain by replacing the intended recipients with fake accounts while keeping email headers intact. This tricked both Partner A and Partner B into believing they were corresponding with the right individuals when, in reality, their messages were being intercepted and manipulated.
The attackers also manipulated email authentication protocols to evade detection.
By misconfiguring the third-party email server, they ensured that fraudulent emails passed Sender Policy Framework (SPF) checks, making them appear legitimate. Additionally, they altered the “Reply-To” field while maintaining the sender’s name in the “From” field, making it difficult for recipients to detect the fraud.
A significant aspect of the attack was the patience and planning involved.
When the initial fraudulent email was rejected by Partner B’s system, the attackers waited 4.5 hours before resending it, ensuring that it blended seamlessly into the conversation. As a result, when Partner B received updated wiring instructions, they assumed it was a genuine request from Partner A and proceeded with the transfer.
The scam was only discovered when Partner A followed up for payment confirmation—12 days after the initial invoice reminder. By then, the funds had already been moved, making recovery nearly impossible. This case underscores the evolving complexity of BEC scams, highlighting the urgent need for stronger cybersecurity measures and awareness training to prevent such costly attacks.
