Combatting BEC and EAC: Leveraging Orchestration and Automation to Remediate Email Fraud Attacks

Share with your network!

Business email compromise (BEC) and email account compromise (EAC)—a collective $26B problem—are issues that organizations of all sizes, in all industries, must address.

Our "Combatting BEC and EAC" blog series dives into how you can stop these threats at your organization. Each post focuses on one of seven key steps. We tackle the sixth step in this blog post: leveraging orchestration and automation to remediate email fraud attacks.

Post Delivery Detection and Response is Critical

Defending against BEC and EAC attacks requires a multi-tiered approach. While preventing phishing and impostor threats before they get to the inbox is a critical layer of defense, post-delivery detection and response are equally important. After all, email threats continue to become more sophisticated to evade detection.

BEC/EAC attacks leverage multiple vectors and tactics, including email, cloud accounts, impersonation and compromised accounts. Because of this variety, investigation and remediation must go beyond email and include cloud accounts.

Orchestration and Automation Speed Incident Response

With staffing shortages and an overwhelming number of alerts, automating workflows and response actions can save valuable time and enable faster incident response. Quickly finding, investigating and cleaning up BEC and EAC threats across the organization are often highly manual and time-consuming tasks. The longer it takes to remediate, the longer the organization is exposed. Proofpoint automates incident response to save time and better protect against BEC and EAC attacks.

Streamline Remediation of Employee Reported Emails

Because BEC/EAC attacks are people-centric threats, employees are a critical part of your defense. Many organizations train their employees to report suspicious messages to an abuse mailbox. Proofpoint’s PhishAlarm button and email warning tag provide easy, accessible ways for end-users to report suspicious messages.


Figure 1: Users can report suspicious messages with a single click

Investigating user-reported messages is a tedious and time-consuming task that often falls to the bottom of the priority list. Our Threat Response Auto-Pull (TRAP) monitors the abuse mailbox and automatically analyzes new messages from users. Misreported email (clean email) is automatically resolved. If the message is found to be malicious, the reported message and any other copies (including those forwarded to other users or distribution lists) can be automatically quarantined. To close the remediation loop, users receive a customized email letting them know the message was malicious. This reinforces the behavior and encourages employees to report similar messages in the future. Automating these functions helps you quickly contain the spread of BEC and EAC threats. You get accelerated threat response while doing less manual work.

Triage Compromised Accounts

Compromised accounts are incredibly valuable to attackers because they can use these accounts to conduct reconnaissance. When they’ve identified a good opportunity (e.g. when a payment is due), emails sent from a compromised account will evade detection as these are fraudulent messages sent from a legitimate account (vs. Spoofed display or domain names).

When a compromised account is detected, security teams need to take action before damage is done. Proofpoint enables security teams to set policies for fast response. Organizations can automatically force password resets, suspend compromised accounts, revoke a user’s session, or enforce risk-based authentication.

To address the variety of tactics and vectors criminals employ in BEC/EAC attacks, organizations need a multilayered solution. At Proofpoint, we’ve got what you need to respond and protect quickly and automatically to BEC and EAC threats. To find out if your organization is protected against BEC and EAC attacks, take our assessment here.