Microsoft’s Digital Crimes Unit observed a 38 per cent increase in cybercrime-as-a-service attacks that target business email accounts between 2019 and 2022, according to the fourth edition of the Cyber Signals report.
Between April 2022 and April 2023, Microsoft Threat Intelligence detected and investigated 35 million business email compromise (BEC) attempts with an adjusted average of 156,000 attempts daily.
The report states that the surge in cybercrime activity leading to BEC attacks costs organisations millions of dollars annually.
According to the report, BEC operators often avoid ‘noisy’ ransomware attacks and instead focus on exploiting the daily flow of email traffic and messages to lure victims into providing financial information, often by creating panic with fake urgent deadlines.
Microsoft has also observed a trend in attackers using platforms like BulletProftLink, a service that can create industrial-scale malicious mail campaigns.
“[Cybercriminals] don’t have to use zero-day software exploits or novel offensive techniques to be successful,” said Simeon Kakpovi, senior threat intelligence analyst at Microsoft Threat Intelligence, in the report. “To compromise email, credential phishing, social engineering and sheer grit is all that’s required.”
In the report, Microsoft recommends that businesses can help to combat BEC attacks by using a secure email solution that utilises the cloud and artificial intelligence, securing identities with automated identity governance, adopting a secure payment platform and training employees to spot warning signs.
Read the full issue of Cyber Signals from the Microsoft website.