B2B Business Email Compromise: A Sophisticated Scheme Exploiting Trusted Relationships

A recent investigation by Trend Micro has uncovered a highly sophisticated Business Email Compromise (BEC) attack targeting business-to-business (B2B) transactions. Unlike traditional BEC scams that rely on simple phishing emails, this intricate fraud scheme involved multiple business partners, a compromised email server, and the exploitation of trusted relationships between organizations.

BEC scams have evolved beyond sending fraudulent invoices. According to Trend Micro: “A recent investigation examined not a typical BEC scenario where a threat actor simply sends a fraudulent email in the hopes of tricking a victim. Instead, this B2B BEC scheme involved abusing the implicit trust between relationships amongst business partners, patiently weaved by the threat actor within days.”

The attack involved three business partners (Partner A, Partner B, and Partner C) exchanging invoices via email. The threat actor gained access to a third-party email server, giving them complete visibility into ongoing transactions. They manipulated email conversations over multiple days, subtly replacing recipients with maliciously controlled email accounts while keeping the conversation flow intact.

How the Attack Unfolded

Phase 1: Infiltrating the Conversation

• The attacker compromised an email server and monitored business email exchanges.
• A legitimate invoice reminder was sent by Partner A to Partner B, copying Partner C.
• The threat actor replied within 4.5 hours, inserting fraudulent banking details while appearing as Partner A.
• The fraudulent email bypassed security checks because it was sent via a legitimate (but compromised) server.

Phase 2: Full Control Over the Transaction

• Over the next five days, the attacker gradually swapped email recipients with their own controlled accounts.
• By the time Partner B processed the invoice, 5 out of 6 original recipients had been replaced.
• Partner B unknowingly transferred the funds into the attacker’s fraudulent account, believing they were following Partner A’s instructions.

According to Trend Micro: “The threat actor waited around 4.5 hours later to start positioning themselves into the email conversation… The recipient in Partner B, receiving the email later in the day, assumed that Partner A discovered a problem with their initial bank.”

This multi-layered attack exploited the trust between business partners. The attacker used email manipulation techniques, including:

• Changing Reply-To addresses to redirect communications.
• Mimicking writing styles, including signatures and greetings.
• Compromising a third-party email server with weak security settings.
• Bypassing Sender Policy Framework (SPF) authentication, making the emails appear legitimate.

“The threat actor utilizes the Trusted Relationship between all parties (T1199) and is heavily reliant on this to be pre-existing throughout the entire B2B BEC incident.”

While BEC attacks cannot be entirely eliminated, companies can take steps to reduce their risk:

1. Implement DMARC, SPF, and DKIM email security protocols – These measures help detect and block spoofed emails from fraudulent sources.
2. Digitally sign emails – Ensures that senders and recipients can verify the authenticity of emails.
3. Enable Multi-Factor Authentication (MFA) – Reduces the risk of account takeovers (ATO).
4. Monitor for unusual email activity – Look for unprompted forwarding rules, suspicious logins, and unauthorized email address changes.
5. Establish validation protocols for financial transactions – Require secondary verification for payment details, such as a phone call or secure messaging.

Organizations must go beyond basic phishing awareness and implement stronger email security measures, transaction validation protocols, and continuous monitoring to detect these threats before financial damage occurs.

Related Posts:

• FBI crackdown “business email compromise” BEC fraud campaigns, 74 suspects arrested
• AMD push security update to patch 13 security vulnerabilities
• Interpol Recovers $41 Million Stolen in Singapore BEC Scam