{
	"id": "33ecd999-3f1a-4e1e-ab89-14cb86cdf2d3",
	"created_at": "2026-04-06T00:13:39.784388Z",
	"updated_at": "2026-04-10T13:12:45.216793Z",
	"deleted_at": null,
	"sha1_hash": "0760701a2314dd79f86cea2c6b16bfc06c468ed6",
	"title": "Behind the scenes of business email compromise: Using cross-domain threat data to disrupt a large BEC campaign | Microsoft Security Blog",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 625838,
	"plain_text": "Behind the scenes of business email compromise: Using cross-domain threat data to disrupt a large BEC campaign | Microsoft\r\nSecurity Blog\r\nBy Microsoft Threat Intelligence\r\nPublished: 2021-06-14 · Archived: 2026-04-05 18:14:32 UTC\r\nMicrosoft 365 Defender researchers recently uncovered and disrupted a large-scale business email compromise\r\n(BEC) infrastructure hosted in multiple web services. Attackers used this cloud-based infrastructure to\r\ncompromise mailboxes via phishing and add forwarding rules, enabling these attackers to get access to emails\r\nabout financial transactions.\r\nIn this blog, we’ll share our technical analysis and journey of unraveling this BEC operation, from the phishing\r\ncampaign and compromised mailboxes to the attacker infrastructure. This threat highlights the importance of\r\nbuilding a comprehensive defense strategy, which should include strong pre-breach solutions that can prevent\r\nattackers from gaining access and creating persistence on systems in the first place, as well as advanced post-breach capabilities that detect malicious behavior, deliver rich threat data, and provide sophisticated hunting tools\r\nfor investigating and resolving complex cyberattacks.\r\nThis investigation also demonstrates how cross-domain threat data, enriched with expert insights from analysts,\r\ndrives protection against real-world threats, both in terms of detecting attacks through products like Microsoft\r\nDefender for Office 365, as well as taking down operations and infrastructures.\r\nThe use of attacker infrastructure hosted in multiple web services allowed the attackers to operate stealthily,\r\ncharacteristic of BEC campaigns. The attackers performed discrete activities for different IPs and timeframes,\r\nmaking it harder for researchers to correlate seemingly disparate activities as a single operation. However, even\r\nwith the multiple ways that the attackers tried to stay under the radar, Microsoft 365 Defender’s cross-domain\r\nvisibility uncovered the operation.\r\nhttps://www.microsoft.com/security/blog/2021/06/14/behind-the-scenes-of-business-email-compromise-using-cross-domain-threat-data-to-disrupt-a-large-bec-infrastructure/\r\nPage 1 of 12\n\nFigure 1. Signals from Microsoft 365 Defender services that researchers correlated to expose the BEC attack\r\nThis depth and breadth of this visibility is especially critical in detecting and stopping BEC because these attacks\r\nhave minimal footprint, create very low signals that don’t rise to the top of a defender’s alert list, and tend to blend\r\nin with the usual noise of corporate network traffic. BEC attacks unfortunately can stay undetected until they\r\ncause real monetary loss because of limited or partial visibility provided by security solutions that don’t benefit\r\nfrom comprehensive visibility into email traffic, identities, endpoints, and cloud behaviors, and the ability to\r\ncombine together isolated events and deliver a more sophisticated cross-domain detection approach.  Armed with\r\nintelligence on phishing emails, malicious behavior on endpoints, activities in the cloud, and compromised\r\nidentities, Microsoft researchers connected the dots, gained a view of the end-to-end attack chain, and traced\r\nactivities back to the infrastructure.\r\nDisrupting BEC operations is one of the areas of focus of Microsoft’s Digital Crimes Unit (DCU), which works\r\nwith law enforcement and industry partners to take down operational infrastructure used by cybercriminals. For\r\nthe specific BEC operation discussed in this blog, industry partnership was critical to the disruption. As our\r\nresearch uncovered that attackers abused cloud service providers to perpetrate this campaign, we worked with\r\nMicrosoft Threat Intelligence Center (MSTIC) to report our findings to multiple cloud security teams, who\r\nsuspended the offending accounts, resulting in the takedown of the infrastructure.\r\nInitial access via phishing\r\nUsing Microsoft 365 Defender threat data, we correlated the BEC campaign to a prior phishing attack. The\r\ncredentials stolen at this stage were used by the attackers to access target mailboxes. It’s important to note that\r\nmulti-factor authentication (MFA) blocks attackers from signing into mailboxes. Attacks like this can be prevented\r\nby enabling MFA.\r\nOur analysis shows that shortly before the forwarding rules were created, the mailboxes received a phishing email\r\nwith the typical voice message lure and an HTML attachment. The emails originated from an external cloud\r\nprovider’s address space.\r\nhttps://www.microsoft.com/security/blog/2021/06/14/behind-the-scenes-of-business-email-compromise-using-cross-domain-threat-data-to-disrupt-a-large-bec-infrastructure/\r\nPage 2 of 12\n\nFigure 2. Sample phishing email used to steal credential to be used for BEC attack\r\nThe HTML attachment contained JavaScript that dynamically decoded an imitation of the Microsoft sign-in page,\r\nwith the username already populated.\r\nhttps://www.microsoft.com/security/blog/2021/06/14/behind-the-scenes-of-business-email-compromise-using-cross-domain-threat-data-to-disrupt-a-large-bec-infrastructure/\r\nPage 3 of 12\n\nhttps://www.microsoft.com/security/blog/2021/06/14/behind-the-scenes-of-business-email-compromise-using-cross-domain-threat-data-to-disrupt-a-large-bec-infrastructure/\r\nPage 4 of 12\n\nFigure 3. Phishing page with user name prepopulated\r\nWhen the target user entered their password, they were presented with animations and, eventually, a “File not\r\nfound message”.\r\nhttps://www.microsoft.com/security/blog/2021/06/14/behind-the-scenes-of-business-email-compromise-using-cross-domain-threat-data-to-disrupt-a-large-bec-infrastructure/\r\nPage 5 of 12\n\nhttps://www.microsoft.com/security/blog/2021/06/14/behind-the-scenes-of-business-email-compromise-using-cross-domain-threat-data-to-disrupt-a-large-bec-infrastructure/\r\nPage 6 of 12\n\nFigure 4. Phishing page with animation before eventually serving a fake error\r\nMeanwhile, in the background, the JavaScript transmitted the credentials to the attackers via a redirector also\r\nhosted by an external cloud provider.\r\nFigure 5. JavaScript code used to send stolen credentials to attackers\r\nPersistence and exfiltration\r\nHaving already gained access to mailboxes via the credential phishing attack, attackers gained persistent data\r\nexfiltration channel via email forwarding rules (MITRE T114.003). During the course of our investigation of this\r\nhttps://www.microsoft.com/security/blog/2021/06/14/behind-the-scenes-of-business-email-compromise-using-cross-domain-threat-data-to-disrupt-a-large-bec-infrastructure/\r\nPage 7 of 12\n\ncampaign, we saw hundreds of compromised mailboxes in multiple organizations with forwarding rules\r\nconsistently fitting one of patterns below:\r\nMailbox rule name Condition\r\no365 default\r\nIf Body contains\r\ninvoice\r\npayment\r\nstatement\r\nForward the email to\r\nex@exdigy[.]net\r\no365 (del) If Body contains ex@exdigy[.]net delete message\r\nMailbox rule name Condition\r\no365 default\r\nIf Body contains\r\ninvoice\r\npayment\r\nstatement\r\nForward the email to\r\nin@jetclubs[.]biz\r\no365 (del) If Body contains in@jetclubs[.]biz delete message\r\nThese forwarding rules allowed attackers to redirect financial-themed emails to the attacker-controlled email\r\naddresses ex@exdigy.net and in@jetclubs.biz. The attackers also added rules to delete the forwarded emails from\r\nthe mailbox to stay stealthy.\r\nhttps://www.microsoft.com/security/blog/2021/06/14/behind-the-scenes-of-business-email-compromise-using-cross-domain-threat-data-to-disrupt-a-large-bec-infrastructure/\r\nPage 8 of 12\n\nFigure 6. Alert in Microsoft 365 security center showing detection of forwarding rule creation\r\nBEC infrastructure in the cloud\r\nOur analysis revealed that the attack was supported by a robust cloud-based infrastructure. The attackers used this\r\ninfrastructure to automate their operations at scale, including adding the rules, watching and monitoring\r\ncompromised mailboxes, finding the most valuable victims, and dealing with the forwarded emails.\r\nThe attackers took steps to make it harder for analysts to connect their activities to one operation, for example,\r\nrunning distinct activities for different IPs and timeframes. The attack, however, was conducted from certain IP\r\naddress ranges. We saw these commonalities in the user agents:\r\nCredentials checks with user agent “BAV2ROPC”, which is likely a code base using legacy protocols like\r\nIMAP/POP3, against Exchange Online. This results in an ROPC OAuth flow, which returns an\r\n“invalid_grant” in case MFA is enabled, so no MFA notification is sent.\r\nForwarding rule creations with Chrome 79.\r\nEmail exfiltration with an POP3/IMAP client for selected targets.\r\nWe observed the above activities from IP address ranges belonging to an external cloud provider, and then saw\r\nfraudulent subscriptions that shared common patterns in other cloud providers, giving us a more complete picture\r\nof the attacker infrastructure.\r\nThe attackers used a well-defined worker structure in the VMs, where each VM executed only a specific\r\noperation, which explains why activities originated from different IP sources. The attackers also set up various\r\nDNS records that read very similar to existing company domains. These are likely used to blend into existing\r\nemail conversations or used for more tailored phishing campaign against specific targets.\r\nThe attackers pulled various tools on the VMs. One of the tools was called “EmailRuler”, a C# application that\r\nuses ChromeDriver to automatically manipulate the compromised mailboxes. The stolen credentials and the state\r\nof the mailbox compromised are stored in a local MySQL database as well as the state of the mailbox\r\ncompromise.\r\nhttps://www.microsoft.com/security/blog/2021/06/14/behind-the-scenes-of-business-email-compromise-using-cross-domain-threat-data-to-disrupt-a-large-bec-infrastructure/\r\nPage 9 of 12\n\nFigure 7. Decompilation of EmailRuler tool\r\nIn addition, we also observed that on selected compromised user accounts, the attackers attempted to pull emails\r\nfrom the mailbox. A tool called “Crown EasyEmail” in the attacker’s VMs was likely used for this activity,\r\nconsistent with the observation of using a POP3/IMAP client.\r\nDefending against BEC and cloud-based attacker infrastructure with Office 365\r\nBusiness email compromise is a constant threat to enterprises. As this research shows, BEC attacks are very\r\nstealthy, with attackers hiding in plain sight by blending into legitimate traffic using IP ranges with high reputation\r\nand by conducting discrete activities at specific times and connections.\r\nMicrosoft empowers organizations to comprehensively defend multiplatform and multicloud environments against\r\nthese types of attacks through a wide range of cross-domain solutions that include advanced pre-breach and post-breach protection capabilities. External email forwarding is now disabled by default in Office 365, significantly\r\nreducing the threat of BEC campaigns that use this technique, while giving organizations the flexibility to control\r\nexternal forwarding. Organizations can further reduce their attack surface by reducing or disabling the use of \r\nlegacy protocols like POP3/IMAP and enable multi-factor authentication for all users.\r\nAs BEC attacks continue to increase in scope and sophistication, organizations need advanced and comprehensive\r\nprotection like that provided by Microsoft Defender for Office 365. Microsoft Defender for Office 365 protects\r\nagainst email threats using its multi-layered email filtering stack, which includes edge protection, sender\r\nintelligence, content filtering, and post-delivery protection. It uses AI and machine learning to detect anomalous\r\naccount behavior, as well as emails that utilize user and domain impersonation. In addition to disabling external\r\nforwarding by default, Microsoft Defender for Office 365 raises alerts for detected suspicious forwarding activity,\r\nenabling security teams to investigate and remediate attacks. Features like Attack simulation training further helps\r\norganizations improve user awareness on phishing, BEC, and other threats.\r\nhttps://www.microsoft.com/security/blog/2021/06/14/behind-the-scenes-of-business-email-compromise-using-cross-domain-threat-data-to-disrupt-a-large-bec-infrastructure/\r\nPage 10 of 12\n\nFigure 8. Sample suspicious email forwarding activity alert in Microsoft Defender for Office 365\r\nSignals from Microsoft Defender for Office 365 informs Microsoft 365 Defender, which correlates cross-domain\r\nthreat intelligence to deliver coordinated defense. Expert insights from researchers who constantly monitor the\r\nthreat landscape help enrich this intelligence with an understanding of attacker behaviors and motivations. AI and\r\nmachine learning technologies in our security products use this intelligence to protect customers. These signals\r\nand insights also enable us to identify and take action on threats abusing cloud services.  The resulting takedown\r\nof this well-organized, cross-cloud BEC operation by multiple cloud security teams stresses the importance of\r\nindustry collaboration in the fight against attacks and improving security for all.\r\nLearn how Microsoft is combating business email compromise, one of the costliest security threats.\r\nStop attacks through automated, cross-domain security and built-in AI with Microsoft Defender 365.\r\nStefan Sellmer, Microsoft 365 Defender Research Team\r\nNick Carr, Microsoft Threat Intelligence Center (MSTIC)\r\nAdvanced hunting query\r\nRun the following query to locate forwarding rules:\r\nlet startTime = ago(7d);\r\nlet endTime = now();\r\nCloudAppEvents\r\n| where Timestamp between(startTime .. endTime)\r\n| where ActionType == \"New-InboxRule\"\r\n| where (RawEventData contains \"ex@exdigy.net\" or RawEventData contains \"in@jetclubs.biz\")\r\nhttps://www.microsoft.com/security/blog/2021/06/14/behind-the-scenes-of-business-email-compromise-using-cross-domain-threat-data-to-disrupt-a-large-bec-infrastructure/\r\nPage 11 of 12\n\nor\r\n(RawEventData has_any(\"invoice\",\"payment\",\"statement\") and RawEventData has \"BodyContainsWords\")\r\n| project Timestamp, AccountDisplayName, AccountObjectId, IPAddress\r\nSource: https://www.microsoft.com/security/blog/2021/06/14/behind-the-scenes-of-business-email-compromise-using-cross-domain-threat-dat\r\na-to-disrupt-a-large-bec-infrastructure/\r\nhttps://www.microsoft.com/security/blog/2021/06/14/behind-the-scenes-of-business-email-compromise-using-cross-domain-threat-data-to-disrupt-a-large-bec-infrastructure/\r\nPage 12 of 12",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.microsoft.com/security/blog/2021/06/14/behind-the-scenes-of-business-email-compromise-using-cross-domain-threat-data-to-disrupt-a-large-bec-infrastructure/"
	],
	"report_names": [
		"behind-the-scenes-of-business-email-compromise-using-cross-domain-threat-data-to-disrupt-a-large-bec-infrastructure"
	],
	"threat_actors": [],
	"ts_created_at": 1775434419,
	"ts_updated_at": 1775826765,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/0760701a2314dd79f86cea2c6b16bfc06c468ed6.pdf",
		"text": "https://archive.orkl.eu/0760701a2314dd79f86cea2c6b16bfc06c468ed6.txt",
		"img": "https://archive.orkl.eu/0760701a2314dd79f86cea2c6b16bfc06c468ed6.jpg"
	}
}