The Business Email Compromise (BEC) M365 Exchange Online Reality Check
Business email compromise (BEC), defined as the form of using fraudulent email to attack a specific organization, is more prevalent than ever. It happens when an external threat is emailed to business users on the chance that it won’t be blocked and the user will act upon the malicious intent inadvertently. According to the FBI, since 2016 BEC has been a $26 billion dollar scam. While the data is still being collected; since the COVID-19 pandemic began, it’s believed that the incidents are more numerous than ever — making BEC prevention more complex than ever.
I recently had the opportunity to discuss this topic at the virtual Modern Workspace Conference — and more specifically — around how organizations that use M365 Exchange Online can ensure the correct settings are in place to protect their enterprise. Let’s uncover some of the ways that you can protect your enterprise from BEC, discover what you should be thinking about as it relates to implementing advanced detection options, and close things out with mailbox data protection.
Defining What This Can Look Like
The unfortunate reality is that email creates a huge opportunity for BEC attacks platform. We all receive business and personal emails day in and day out. Not only does this create an opportunity for attack on our business users, there are many different forms of attack to look out for as the landscape has changed. Attacks that were once single-stage phishing for email information that could lead to financial gain for the scammer now have become more sophisticated by combining existing techniques with credential phishing, external forwarding rules, and account compromise for example.
What are some attack examples? One attack form is spoofing attacks. In this case an attacker — by way of email message — may create an exact spoof of a user known to the email recipient. The email may look like it came from your co-worker Sally, but it really came from a cybercriminal.
Another form of attack to defend yourself against is impersonation; where the attacker sends an email from an account mimicking a known sender. These attacks can also include infected attachments or malware-infested web URLs.
Next, let’s talk about the many important features of M365 that should be reviewed and implemented to ensure that you are staying ahead of the constantly evolving business email risk.
Foundational Protection for Business Email Compromise
Protection from within M365 is important to review from both a foundation perspective and as a protective strategy. To ensure that you are taking advantage of the protection offered within the security center and within Exchange Online be sure to have the following enabled and configured to align with your business email needs:
Mail Flow rule(s) for SCL spam detection
These foundations are required to make sure your basic protection layer is intact.
Implementing Advanced Detection Options
Oftentimes implementing the foundational features is not enough — emails with bad intent still make it to our enterprise users. So I would also encourage you to take a look at some of the Defender for M365 options. For example, if you do not want to guess which foundational settings to implement for the best outcomes there are standard and strict pre-set security policies that can be enabled. Alternatively, if you manually set up what your enterprise needs to prevent BEC, the configuration analyzer will call out certain settings that you should review and adjust. The options you choose here really depend on how much control you want over your settings, and the level of attack prevention your enterprise needs.
Mailbox Data Protection
Exchange Online doesn’t come with a true backup and recovery option. You are likely familiar with the many policies and settings that you use to retain email in Exchange Online, but recovery of that information doesn’t maintain any level of recovery SLA. Also many of these policies better align with compliance and e-discovery than the ability to recover from the unexpected. If your enterprise has expectations of a recovery SLA for your email, and a preferred format of recovery from the unexpected, then to align with business needs you will need a data protection solution to ensure recoverability.
Business email compromise is a real risk, and must be taken seriously. Not only do you need the settings mentioned above, but you will need to revisit your settings often to stay ahead of the attacks coming in routinely to your enterprise users. As for backups and recovery, be prepared for the unexpected to meet your business SLAs for recovery in any situation.