Armorblox on Thursday reported that language-based attacks have become the new normal for business email compromises (BECs), with with some 74% of attacks using language as the main attack vector.
Not all BEC threats rely solely on language-based payloads, said Sakthi Chandra, vice president of marketing at Armorblox. Chandra said BEC attacks target organizations across sectors and use language, malicious links, weaponized payloads and common business workflows as the proxy to compromise employees and steal money, credentials, or sensitive data.
“When language is the primary payload that’s used, BEC threats become notoriously difficult to prevent,” Chandra said. “Attackers rely on social engineering techniques to persuade people into acting on the attacker’s behalf. That's why traditional measures like headers, links, and metadata are unreliable for defense and user identity, behavior analytics, content and context must be factored into protective mechanisms.”
Some of the other findings in the Armorblox report include:
- The threat actors prey on emails. Attackers have realized that many critical business workflows happen over email. As a result, this has become the primary attack mechanism for credential phishing. Some 87% of credential phishing attacks looked like legitimate common business workflows to trick end users into engaging with the email.
- Impersonation emails are tough to stop. Security teams spend a massive amount of time configuring rules and exceptions in their email security solutions to block brand impersonation emails — both for executives and other employees. Despite all of that manual work and rule writing, 70% of impersonation emails evaded email security controls.
- SaaS apps are targets for brand impersonation. The rise of SaaS apps driving business workflows has also created a huge surge in brand impersonation of SaaS companies. Dropbox, Microsoft, and DocuSign were among the most impersonated brands in 2021.
Nicole Hoffman, senior cyber threat intelligence analyst at Digital Shadows, said language-based phishing attacks rely on the choice of words used in the email to socially engineer or trick the recipient into performing an action. Hoffman said this action might instruct its recipient into making a wire transfer, requesting payroll direct deposit changes, or process a password resets. Within these attacks, Hoffman said the threat actors do not use malicious attachments or links: these types of attacks are harder to detect without proper employee training.
“To combat this threat, organizations can create policies that require additional authentication and fraud checks before any changes or wire transfers are sent out,” said Hoffman. “In addition, having external banners on emails let employees know when an email originated from outside of the organization. BEC attacks are very common and can lead to substantial financial losses.”
Patrick Harr, CEO at SlashNext, said the Armorblox study supports what his team has been seeing at the present time. Harr said we are witnessing threats in collaboration tools, such as SharePoint, Box, Teams, and Zoom and natural language-based attacks in email and as well as via SMS.
“Security leaders are telling us that natural language-based threats are an especially increasing concern in SMS,” Harr said. “Natural language is a threat that doesn’t rely on a malicious URL or file. It relies on social engineering or trusted relationships to get a user to complete a task, such as money transfers or gift cards."