How They Get In: A Look Under the Hood of a BEC Attack Link to heading
Forget what you see in the movies. The most devastating hacks aren’t zero-day exploits that shut down the power grid. They’re far simpler. They’re a guy in a cubicle named Dave who clicks on a link and hands over the keys to the kingdom without even knowing it. This is Business Email Compromise (BEC), and it’s less about elegant code and more about weaponized psychology with a technical edge.
Let’s break down how the sausage really gets made.
Phase 1: The Breach - Finding an Open Window Link to heading
The goal isn’t to smash down the front door; it’s to find a key someone left under the mat. This is all about gaining that initial foothold into a legitimate email account.
Credential Stuffing: This is the low-hanging fruit. We take massive dumps of previously breached usernames and passwords (think LinkedIn, Adobe, etc.) and automate login attempts against the target’s Microsoft 365 or Google Workspace portal. It’s noisy, but you’d be shocked how often P@ssword123! works on a corporate account because an employee reuses passwords everywhere.
Phishing: The classic for a reason. But we’re not talking about a generic “Nigerian Prince” email. We’re talking about a targeted spearphishing campaign. We scrape LinkedIn to find the names of IT staff, then craft an email that looks exactly like a legitimate password reset notification or a “shared file” link. The landing page is a pixel-perfect clone of the Microsoft or Google login portal. The target enters their credentials, gets an “error,” and moves on. Game over. We’re in.
MFA Fatigue: If they have Multi-Factor Authentication, we just annoy them into submission. After a successful phish, we trigger login attempts over and over, spamming the user’s authenticator app with push notifications until they get frustrated and hit “Approve” just to make it stop. It works more often than it should.
Phase 2: The Recon - Sitting, Watching, Learning Link to heading
Once we’re in a mailbox, we go silent. This is the most critical phase. We are not there to send spam; we are a ghost in their machine, learning the business from the inside.
Inbox Rule Creation: The first thing we do is create an inbox rule. Something like: “If subject contains ‘invoice,’ ‘payment,’ or ‘overdue,’ mark as read and move to the Archive folder.” This lets us intercept critical financial conversations without the legitimate user ever seeing them. They’re flying blind.
Pattern of Life Analysis: We read everything. We learn who talks to whom. Who approves payments? Who is the CFO? Who is the accounts payable clerk? We study the tone, the sign-offs, the typical invoice amounts. We learn the email signatures. We’re looking for the perfect opportunity to strike, and we will wait weeks if we have to.
Phase 3: The Strike - Weaponizing Trust Link to heading
This is where it all comes together. We’ve identified a transaction in progress—maybe a vendor is waiting on a $50,000 payment. We have two main ways to play this:
Direct Reply Hijack: Using the compromised account, we simply reply to an existing email thread about the payment. “Hi Jane, please note we have updated our banking information for this invoice. Please remit payment to the new account details attached. Thanks, Dave.” It comes from Dave’s real email. It’s in the middle of a real conversation. It looks completely legitimate.
Look-alike Domain: If we lose access to the mailbox, we pivot. We register a domain that’s one letter off from the target’s (abccorp.com vs abcc0rp.com). We then spoof the “From” field to look correct and email the client directly, impersonating the employee. Thanks to our recon, we know exactly who to email and what to say.
This isn’t magic. It’s a methodical process of exploiting human trust, powered by basic technical intrusions. The entire attack hinges on the fact that once we’re inside the perimeter, nobody is looking for us. They’re too busy worrying about the firewall.