Analyzing message metadata to protect against BEC attacks

Can analyzing message metadata help to protect organizations from becoming the victim of a successful BEC attack?

Business Email Compromise (BEC) is an umbrella term spanning many forms of social engineering email attacks that typically share the common characteristic that there is no obvious “payload”, i.e., suspicious URL or malware-infected attachment. Instead, they rely on the techniques of trickery and impersonation to succeed.

BEC attacks can be carefully crafted to evade traditional security defenses including Secure Email Gateways (SEGs) and Microsoft Office 365’s native security controls. While they generally represent a relatively small percentage of the phishing problem by volume, they can represent a relatively large percentage by cost in terms of damage done. This year the Federal Bureau of Investigation (FBI) concluded that the global cost to business of BEC attacks over the last 5 years or so was an eye-watering 43 billion dollars.

Stop BEC attacks in the inbox

In our last blog, we looked at how a modern email security solution can help to combat BEC attacks by working in the inbox and using a combination of advanced analytics, Artificial Intelligence (AI)/Machine Learning (ML), and Natural Language Processing (NLP) techniques. Why in the inbox? Because vigilance in the inbox is the most effective way to combat evasive threats like BEC attacks that have evaded detection at the boundary and/or by Microsoft security controls.
In this session, we will zoom in on one of those techniques and look at some of the quickest and simplest mechanisms for identifying the possibility of a BEC attack. Indicators and anomalies in message metadata.

Check metadata for indicators of a BEC attack 

Domain-based Message Authentication, Reporting, and Conformance (DMARC) helps to protect email senders and recipients from spam, spoofing, and phishing. Working in the inbox, an effective email security solution will use the results of DMARC policy checks performed by Microsoft Office 365 and contained in the message header. These can contain potential indicators that might suggest that the message is malicious.
Another important check is for mismatches in the message metadata. Messages where the display name on the message appears to be internal and FROM address is external, or where the FROM address is internal and the REPLY-TO address is external, provide good indicators that all is not well.

Crowd-sourced threat intelligence

Overall, the solution should also take advantage of crowd-sourced threat intelligence feeds to identify IP addresses and/or hostnames in message headers that might indicate a BEC attack. For example, Cyren’s GlobalView™ is a world-leading threat intelligence service protecting 1 billion users across 195 countries with 575,000+ collection points (POPS) around the globe. Leveraging up-to-the-minute intelligence from feeds such as GlobalView and other threat intelligence feeds is essential to the process of identifying indicators of an attack.

Stop BEC attacks

Good detection techniques are the backbone of an effective defense against BEC attacks but on their own, they’re not enough. Usually, an attack involves several key people in the organization receiving identical or similar messages over a short period of time. An effective modern email security solution, working in the inbox needs to be able to identify all the malicious messages with this shared “DNA” and remediate them all automatically, in a single action, to ensure good inbox hygiene is maintained.

However, detection lies at the heart of combating BEC attacks and while the mechanisms employed by defenses are normally hidden “under the hood”, understanding the processes at work gives an insight into how an effective email security technology helps protect customers. In the next blog in this series, we’ll look at another aspect of effective BEC detection. Using Natural Language Processing techniques (NLP) to parse message content for key indicators.

About Cyren Inbox Security

Cyren Inbox Security (CIS) is a modern Integrated Cloud Email Security SaaS solution that augments native Microsoft and traditional secure email gateway defenses. CIS utilizes AI/ML/NLP capabilities with behavioral analytics, and up-to-the-minute cyber threat intelligence, to automatically protect against, and manage the remediation of email threats that have successfully evaded all other defenses to reach the user’s M365 inbox.