Understanding the IOCs, Attack Techniques, Preventative Measures, and Do's and Don'ts of a BEC Attack

Business email compromise (BEC) attacks involve unauthorized threat actors gaining access to a legitimate email tenant through social engineering tactics, including emails, texts, phone calls, QR codes, and other communication tools. Last year, organizations experienced a 30% increase in BEC attacks, according to data from SureFire Cyber. The number of BECs is expected to increase as additional tactics continue to evolve.

The financial impact of these scams can be significant since most successful BEC attacks involve vendor payment redirection, executive impersonation, and payroll diversion. BECs remain one of the top financial cybercrime categories, and financial losses can be even greater for healthcare organizations than companies in other industries. Threat actors often target healthcare organizations due to the large volume of financial transactions, reliance on email for billing and procurement, storage of sensitive protected health information, operational urgency with a staff that's likely to act quickly, and the prevalence of legacy IT systems and staffing shortages. 

Abbey Mirelli, Incident Response Manager, and Brook Weiss, Incident Response Consultant, both on the Pondurance team, recently presented valuable information on BECs for a Health-ISAC Navigator Program. They discussed the indicators of compromise (IOCs), attack techniques, preventative measures, and the do's and don'ts of a compromise. 

Indicators of compromise

IOCs are forensic data or evidence that shows threat actors have already infiltrated an environment, and the incident response team uses that evidence in an investigation to figure out what happened. The team explained how threat actors are looking to compromise administrative accounts with elevated privileges that they can use to set up mailbox connectors for additional mail flow, assign delegated access and permissions to other mailboxes, or register additional applications. When a threat actor has admin access, it adds to the risk and impact of a BEC attack and, when used to its full advantage, makes the attack more complex. 

Once the threat actors have gained admin access, a few actions typically occur. The team explained that threat actors may contact the user with: an unexpected IT support call or Teams meeting, instructions to install remote access software, requests to approve multifactor authentication (MFA) prompts or enter credentials, and other social engineering scams. Also, the threat actors may change an existing contact to a domain that they control so they can maintain visibility into the environment and possibly inject themselves back into the conversation. In addition, after compromising an email account, threat actors often use spoofing, or pretending to be another user or device to gain unauthorized access or sensitive data. 

The primary IOCs that the incident response team looks for during an investigation include logins from new countries or unusual locations, logins that would require an impossible travel itinerary for one person, logins from virtual private networks or cloud hosting providers, multiple failed logins followed by a successful one, sign-ins at unusual hours, and new user agents or devices.

Attack techniques 

Threat actors use a number of different techniques to execute a BEC attack, including phishing, document sharing, vishing, and mass spam emails. The team explained that the techniques are continuously evolving as threat actors try to blend in and evade the attention of employees as they make their moves.

Phishing, the primary technique threat actors use to compromise email accounts, uses fraudulent messages to deceive targets into revealing sensitive information such as credentials, passwords, or bank account numbers for malicious use. Typically, the messages encourage targets to click on a malicious link, expose login credentials, or allow other access to the network. As much as 56% of organizations were impacted at least one time by phishing-related incidents, according to the 2026 Kaseya Cybersecurity Outlook Report. 

In the past, phishing emails were often identifiable as fraudulent due to poor grammar and awkward language. Today, artificial intelligence (AI) allows threat actors to create convincing emails with little effort or expertise. Threat actors now use AI to personalize the content of the emails and write the text.

Threat actors are creative in their phishing exploits, using spear-phishing, pharming, whaling, and more. The team discussed a few specific types of phishing campaigns to look out for. 

• Zipline phishing. Users reach out by legitimate means, such as a Contact Us online form, and threat actors respond by attaching a zip folder that contains a malicious payload. 

• Tycoon MFA phishing. Threat actors send malicious emails using a phishing kit, directing users to spoofing organization domains. In October 2025, Microsoft Defender blocked over 13 million such emails from hundreds of threat actor groups. The low price of the phishing kit has dramatically lowered the barrier to entry for threat actors.

• SharePoint/OneDrive emails. These attacks target industries that rely on document sharing, such as consulting, finance, and construction. A typical email fraudulently alerts the user that a document has been shared and contains a link to view the document.

• Vishing. These attacks use emails to alert users about a missed call or new voicemail and include a link to play the voicemail message. The link usually leads to a phishing page or login.

• Mass spam emails. Following a compromise or once they know they will be caught, threat actors often send a fraudulent email, similar to the one used to gain initial access, to a mass group of people. The goal is to find more potential victims.

Preventative measures

While threat actors relentlessly try to obtain user credentials, organizations need to know what they can do to lower the risk of BEC attacks. There are many anti-phishing tools on the market; however, the tools still leave gaps in protection. But there are actions organizations can take to fill the gaps and minimum the risks.

• FIDO2. This phishing-resistant MFA method offers protection against BEC attacks. FIDO2 has a key stored in the hardware token that the user must use to log in to the email environment. When threat actors try to intercept the login credentials, they fail because their spoofed webpage will not recognize the key.

• Audit logging. Audit logging analysis differs depending on the environment used. Microsoft 365 Unified Audit Log can be used to analyze data for up to six month for all licenses and up to one year for licenses E5 and above — but it must be turned on. Google Workspace and on-premises environments also have audit logging capabilities but are often more limited.

• Registration of applications. Only administrators should register applications in the environment, keeping threat actors from having access to them.

• Separation of admin accounts. Admin accounts should be logged in to only when conducting admin activities. For all other activities, the administrator should use a day-to-day account that is not privileged.

• Session length. The length of an admin account session should be kept to a minimum to prevent an extended stay for a threat actor. For example, if a session for an admin person persists for three months, the threat actor can also persist in that session for three months.

• User training. The team stressed the importance of providing comprehensive user training and allowing employees to readily report suspicious behavior or stolen credentials.

The do's and don'ts of a compromise

As much as 70% of organizations expect a phishing attack in the next year, according to the 2026 Kaseya Cybersecurity Outlook Report. If a phishing or BEC attack does happen, organizations need to know what to do — and what not to do — to stay safe and improve the quality of the incident response investigation.

Do's:

• Immediately reset the account password and revoke any active sessions. 

• Review the user's MFA devices. 

• Revert any modified financial configurations to their original state and notify the internal team.

• Review and delete any suspicious or unauthorized inbox rules.

• Confirm that the MFA has been reconfigured and that the new setup uses phishing-resistant methods.

• Perform a mass password reset, if possible.

• Make certain that the threat actors are not continuing to use the privileges of the compromised account after they are kicked out.

Don'ts:

• Don't panic. Contact the bank to freeze accounts or attempt a wire recall.

• Don't delete the mailbox of the impacted email.

• Don't assume that only one account is impacted. 

• Don't ignore financial systems or others that tie back to Microsoft 365, especially ones with MFA set up as the email account.

• Don't be convinced that MFA can fully stop a BEC attack.

Conclusion

BEC attacks are on the rise and are expected to continue to increase as additional tactics continue to evolve. The financial impact can be significant, particularly in healthcare, but it doesn't have to be when employees know how to recognize BEC attacks and the organization implements preventative measures to minimize the risk of harm. For more detailed information about BEC attacks, watch the webinar.