Managed Security Services, MSP

Business Email Compromise Attacks Spike in Q3

Business email compromise (BEC) attacks spiked in the third quarter of 2023, according to Huntress' inaugural threat report. Huntress provides a cyber security platform designed for managed service providers to protect their small- and mid-sized business (SMB) clients.

The Ellicott City, Maryland-based company said that more than half of all attacks during Q3 were malware-free, meaning hackers exploited legitimate tools instead of malicious software.

The Huntress report revealed 64% of identity-focused incidents in Q3 2023 involved malicious forwarding or other malicious inbox rules, a key indicator of BEC. Another 24% of identity-focused incidents involved logons from unusual or suspicious locations.

Huntress recently added managed detection and response (MDR) for Microsoft 365 capabilities to its SMB platform to enhance protection against BEC and account takeover attacks. SMBs can use MDR for Microsoft 365 to respond to suspicious logins, permission changes and privilege escalations.

“The threat landscape is not slowing down. Threat actors are evolving their tradecraft to significantly impact SMBs, and our goal is to educate them and give them a fighting chance against the ever-evolving adversarial landscape,” said Joe Slowik, Huntress threat intelligence manager.

A Closer Look at Q3 Cyber Attacks: RMM Exploited

Other key takeaways from the research:

  • 56% of incidents in Q3 2023 were “malware-free,” as adversaries use the tactic of exploiting scripting frameworks or legitimate tools, in place of malicious software.
  • 65% of incidents in Q3 2023 involved threat actors using credential harvesting to gain access to victim environments through remote monitoring and management (RMM) software, a lifeline for IT administrators, or using rogue deployment to install RMM tools for access.
  • 25% of incidents saw attackers abusing built-in tools like PowerShell and WMI as an intrusion tactic. Attackers have refined the art of deception; in order to evade detection, they are attempting to hide within the noise of legitimate network operations or use living-off-the-land tactics.
  • 60% of ransomware incidents were from uncategorized, unknown, or “defunct” ransomware strains. While we often hear about headline-grabbing ransomware entities, many lesser-known ransomware strains are prevalent in the SMB space.
D. Howard Kass

D. Howard Kass is a contributing editor to MSSP Alert. He brings a career in journalism and market research to the role. He has served as CRN News Editor, Dataquest Channel Analyst, and West Coast Senior Contributing Editor at Channelnomics. As the CEO of The Viewpoint Group, he led groundbreaking market research.