Using NLP techniques to protect against BEC attacks

How Natural Language Programming help combat phishing and BEC attacks

by John Stevenson

Business Email Compromise (BEC) 

Business Email Compromise (BEC) covers a range of email attacks that typically share a common core attribute. There is no obvious executable component, such as a URL or file attachment in the message that if opened, would initiate an attack. In the place of the executable component, they rely on social engineering techniques to trick the unlucky recipient.

Generally, you can apply the 80:20 rule to the relative proportions of what we might term conventional phishing (80%) and BEC emails (20%). The problem is that the 20% that is BEC messages are often the most damaging in terms of the financial impact on the organization.

Smart techniques for stopping BEC

BEC attacks are designed to evade traditional security defenses including Secure Email Gateways (SEGs) and Microsoft Office 365’s native security controls, so additional “smart” techniques are needed to detect and remediate the attacks before they do any damage.

In our last blog, we looked at how a modern email security solution can help to combat BEC attacks by analyzing indicators and anomalies in message metadata. In this session, we’ll go a step further and look at how Machine Learning (ML) and Natural Language Processing (NLP) are essential to an effective BEC defense.

Learning from the data lake

Natural language processing (NLP) is a subfield of linguistics, computer science, and artificial intelligence concerned with the interactions between computers and human language. Using NLP to process and analyze large amounts of natural language data enables the defense to spot many of the tell-tale indicators of a BEC attack. But first, you need large amounts of natural language data.

Cyren provides threat intelligence to some of the biggest technology platform providers in existence, helping to protect over 2 billion users, secure 25 billion transactions, and block 300 million threats per day. An important by-product of this threat intelligence is a colossal data lake of insights and information on the vocabulary and phraseology employed in malicious emails.

The language of compromise

Cyren’s NLP algorithms use this data lake to learn the indicators of a potential threat by parsing three areas of any message for threat indicators. The sender, the subject, and the message body itself. Here’s a quick guide to some of the tell-tale indicators in each of these areas.

Some common “tells” in the way the sender is represented include the name being rendered in capital letters and/or with “CEO” or “Chief Executive Officer” being included as part of the sender address.

Subject lines that call for urgent action, include the victim’s name, include punctuation or unrelated characters and strange capitalization are also good indicators that all is not well.

Email bodies that include discrete or secretive requests are a classic indicator of a BEC message, as are justifications for a request based on the sender being in a conference or in a closed meeting and therefore in need of assistance. Other indicators include the use of polite/synthetic text that doesn’t appear to be from a native speaker, poor grammar, and erratic formatting. Signing off a message with requests to respond only via email are also a giveaway.

Stopping BEC attacks in the inbox

Smart technologies like NLP are essential to a robust defense against BEC attacks and they need to be deployed where it counts, in the inbox. Vigilance in the inbox is the most effective way to combat evasive threats like BEC attacks that have evaded detection at the boundary or by Microsoft security controls.

Next time in the final blog in this series, we’ll look at another crucial aspect of effective BEC detection. Using behavioral analytics to identify patterns of behavior and, crucially, any anomalies that would indicate the presence of an attempted attack.

About Cyren Inbox Security

Cyren Inbox Security (CIS) is a modern Integrated Cloud Email Security SaaS solution that augments native Microsoft and traditional secure email gateway defenses. CIS utilizes AI/ML/NLP capabilities with behavioral analytics, and up-to-the-minute cyber threat intelligence, to automatically protect against, and manage the remediation of email threats that have successfully evaded all other defenses to reach the user’s Microsoft Office 365 inbox.