Microsoft and Proofpoint—securing the modern workplace together: business email compromise attacks

In this ongoing blog series, we examine how human-centric threats continue to evolve—and how some may bypass Microsoft’s traditional email defenses. These attacks can result in significant financial and operational impacts for organizations. We’ll do a deep dive into several types of attacks, including: 

Microsoft and ransomware 

• Microsoft and supply chain risk 
• Microsoft and account compromise 
•  Microsoft and weaponized file sharing 

Subscribe to our blog at the bottom of this post to stay updated on these misses that may be impacting your organization and better understand your organization’s risk with a threat assessment.

The dangers of business email compromise attacks  

Business email compromise (BEC), a type of email fraud. It’s one of the most financially damaging threats to businesses of all sizes and across industries, overshadowing most other types of cybercrime in terms of monetary losses. 

In 2020 alone, BEC schemes cost companies and individuals nearly $2 billion and comprised 44% of total monetary losses, according to the FBI and Internet Crime Complaint Center’s (IC3) annual cybercrime report. This represents a $100 million increase from 2019. Other research, like Ponemon's 2021 Cost of Phishing Study, shows an average of almost $6 million in direct and indirect losses annually for a large-sized organization, or 40% of the total cost of phishing. 

Figure 1: Proofpoint blocks more than 15,000 BEC messages every day

Proofpoint detects an average of 450,000 BEC attacks each month. In a recent 30-day period, our targeted threat assessments detected approximately 2,100 BEC threats that bypassed Microsoft’s native email security—within a limited sample set. 

At one large manufacturer with more than 18,000 employees, almost 300 impostor attacks were delivered. A 1,000 seat higher education university, Microsoft missed nearly 150 impostor messages sent to staff. And at a smaller organization with about 600 employees, Microsoft missed more than 80 impostor messages. In each instance, the POCs ran for about one month.

In each case, Proofpoint’s Rapid Risk Assessments identified threats that had slipped through. This reinforces the value of multilayered protection to enhance Microsoft’s native email security. 

Here are some examples of BEC attacks that bypassed Microsoft’s defenses.  

1: Payroll redirect attack

Payroll redirects, also called payroll diversions, are email fraud attacks that typically target finance, tax, payroll and human resources employees. Payroll redirects employ various social engineering tactics that can be hard to detect. Proofpoint detects, on average, about 60,000 payroll redirect attempts every month.

Payroll redirects are considered a medium risk to businesses and organizations. According to the FBI Internet Crime Complaint Center’s report on BEC from 2019, the average loss of payroll fraud is $7,904 per incident.

Here’s one example of an attack missed by Microsoft:

• Environment. Microsoft 365
• Threat Category. BEC
• Attack Type. Payroll redirect
• Target. Benefits administrator

Figure 2. An example of a payroll redirect attack

1: Anatomy of the attack

This payroll redirect attack bypassed native Microsoft email security, enabling a back-and-forth exchange between the impostor and the intended victim. The impostor used a Gmail account and purported to be an employee requesting a direct deposit change to a new bank account.  

Impersonation of employees is problematic, but when high-level executives are impersonated, the financial losses can be more severe. Proofpoint’s advanced detection capabilities are designed to identify these nuanced threats and complement Microsoft’s defenses by stopping socially engineered attacks before they escalate. 

2: Executive impersonation attack

Executive impersonation attacks, also known as CEO fraud, have risen drastically with changing work environments. Since March 2020, Proofpoint has seen email scammers impersonate more than 7,000 CEOs. More than half of Proofpoint customers have had at least one high-level executive impersonated. 

Here’s the example: 

• Environment. Microsoft 365
• Threat category. BEC
• Attack Type. Impersonation
• Target. Directors, strategic and business development

Figure 3. An example of an executive impersonation attack

Anatomy of the attack

This impersonation attack bypassed Microsoft native email security. The impostor used a Gmail account and purported to be the CEO requesting follow-up action by the employees. If employees had engaged with this email, the attacker could have easily continued to manipulate and extract data or financial rewards. 

Why BEC attacks can bypass Microsoft native defenses

Today’s BEC attacks use sophisticated social engineering tactics that can evade traditional detection methods. In recent assessments, Proofpoint identified several reasons why these threats may bypass Microsoft’s native email security: 

• These emails pass simple sender reputation checks. Due to the use of Gmail, they passed both SPF (Sender Policy Framework) and DKIM (DomainKeys Identified Mail) authentication checks. The use of legitimate services is a common tactic many reputation-based vendors struggle to detect.
• These messages spoof an employee’s display name. Attackers frequently spoof employee display names, sometimes using nicknames or subtle variations to avoid detection. These tactics can bypass header analysis and are often only flagged after manual review. 
• Additionally, Microsoft’s native security does not currently include metonym detection—an advanced capability that helps identify suspicious tone and intent based on subtle linguistic cues. 
• Because these threats typically appear benign, organizations may spend significant time and resources manually investigating and remediating them. 

By using Proofpoint’s advanced detection capabilities to complement Microsoft’s defenses, in one case study a customer was able to avoid hiring three full-time security analysts, saving approximately $345,000 over three years. 

How Proofpoint stops business email compromise 

Figure 4. A relationship graph illustrating how Proofpoint helps to stop BEC

Supernova uses a combination of ML, stateful analytics, behavioral analytics, rulesets, and the work of our threat researchers who track cybercriminals’ tactics to deliver both high efficacy and the lowest false-positive rate. Supernova is used by most of the Fortune 100, Fortune 1000, and Global 2000. Our ML and AI detection models ingest 2.6 billion emails, 1.9 billion attachments and more than 49 billion URLs every day. 

Recommendations to stop BEC attacks 

Figure 5. An overview of the layered approach Proofpoint applies to help stop BEC attacks

Proofpoint takes a multilayered approach to stopping BEC attacks with our Threat Protection platform. Some of these layers include our leading detection, isolation, authentication, education and automated remediation capabilities. There’s no silver bullet to the ever-increasing phishing threat. That’s why a multilayered, integrated threat protection solution is necessary. Proofpoint also uses ML and advanced sandboxing technology to stop ransomware, phishing and account takeover, in addition to BEC attacks. 

To learn more about how Proofpoint Threat Protection can help you can stop these threats in your environment, take a free Email Rapid Risk Assessment.