Advanced BEC Protection

This article describes how Advanced Business Email Compromise (Advanced BEC) works on Email Security Cloud Integrated, and is intended for Administrators.

Considerations

• Please see Advanced BEC - Supported Languages (to access this page, you must be logged in to the Mimecast Support Center).

What is BEC?

Business Email Compromise, referred to as BEC, is a highly targeted form of spear phishing, where attackers aim to deceive employees into taking harmful actions. These actions often involve transferring money to the attacker, and the impact can be severe, costing businesses billions of dollars each year.

BEC attacks thrive on impersonation and social engineering, exploiting trusted relationships and using emotional manipulation to compel victims to act. These attacks can take many forms, from a CEO’s spoofed email requesting a wire transfer to a compromised vendor account requesting sensitive data.

In all these scenarios, the attackers’ goal is the same: to exploit relationships and manipulate victims into fulfilling harmful requests.

Mimecast's Advanced BEC Protection is designed to detect and prevent Business Email Compromise by identifying and acting against tactics like impersonation, urgency, and trust exploitation, ensuring your organization stays secure from financial loss and data theft.

Administrators can configure Advanced BEC settings within email policies. This can be done using the Phishing & Impersonation section on the Cloud Integrated platform. 

The default configuration is as follows:

What to expect when Mimecast flags an email as a BEC attack

BEC emails can be accessed directly from the Mimecast Email Security Cloud Integrated dashboard by selecting the phishing widget as seen below:

Here you’ll see a list of phishing detections, but not all of them activate the specific threat engine used by Advanced BEC and not all of them may be categorized as BEC attacks. This is because phishing attacks vary in nature, and BEC attacks often involve threats aimed at extracting information from individuals.

Below is an example of one of these detections:

In this example, the email is flagged as Phishing, and the Detailed Analysis categorizes it as Business Email Compromise Scan (BEC) with a confidence level of Very High.

This indicates that the detection engine is highly confident that the email contains suspicious characteristics, suggesting a threat actor is attempting to extract information from the individual or manipulate them into taking actions that could compromise their business.

On the right-hand side of the screen, we can now review the extractions.

At the top right corner of this section, there is a toggle labeled Show Extractions. This is where natural language processing (NLP) identifies and extracts sensitive information, highlighting why we believe this email is a BEC attack.

First, we notice that the email is from a Gmail address, which is a personal rather than a business email.

As we scroll down, we can reveal the message body information. This is accessible due to the type of attack being reviewed. Keep in mind that the email body won't display by default; you need to select the Display Content option.

By selecting the Display Content option, additional information related to the extraction is revealed, showcasing the detected threat.

There is also an option to switch between Plain Text and HTML views. This is important because advanced threats can present different language in each view, depending on how the attacker configured these views before sending the email.

In this example, the attacker is asking the recipient to share their personal WhatsApp number. NLP detects this as a suspicious characteristic because the attacker is attempting to switch communication channels, which is highlighted here.

Different types of extractions will appear in the detections area of the platform, all indicating suspicious characteristics identified by Advanced BEC protection.

See Also...

• Viewing Attacks
• Per Policy Detection Engines