Small and medium-sized businesses are highly vulnerable to Business Email Compromise (BEC) attacks. Threat actors are evolving, exploiting human error and trust while leveraging automation tools and AI. To shed light on this evolving threat, Information Security Buzz spoke with David Langlands, Todyl’s Chief Security Officer, to discuss the notorious Söze Syndicate, its global impact, and what steps businesses can take to protect themselves.
1. How significant is the threat foreign actors pose using U.S.-based ISPs to facilitate Business Email Compromise (BEC) scams?
It’s a significant threat, and we’ve seen threat actors shift towards this direction. Our observations over the past 12 to 24 months showed nearly a 600% increase in account takeover Business Email Compromise (BEC) activity. There are many reasons behind it. One is mainly for the markets we serve, which tend to be the managed service providers offering IT services. They make a tempting target for threat actors because they control the IT operations and sometimes the security for hundreds, if not thousands, of organizations. We’re seeing a significant shift from noisy techniques, such as ransomware, toward stealthy and long-term attacks in BEC.
2. What were your initial findings of the investigation of the Söze Syndicate?
During our first research, we thought they had compromised infrastructure within the US and were using that as a launchpad for additional attacks within the country. Given the security policies of many organizations, whether based in the US or abroad, they typically monitor employee travel and expected access locations. So they often scrutinize traffic more carefully if it comes from a region they don’t expect. For example, Eastern Europe may not frequently access a local manufacturer in the United States. Our initial assumption was that they may have taken over some infrastructure here. But, as our research team dug deeper, we found that they had not only entirely owned this infrastructure but were also using it for a large-scale campaign. In some cases, that infrastructure had existed for about 24 months.
Commonly, what we see within the US is that if a threat actor sets up infrastructure or takes over a system, they may only be on that system for 30 days maximum. Referring back to history, to see something that had 12 or 24 months’ worth of dwell time on an infrastructure indicated that we were dealing with a different type of threat actor. This was somebody with significant resources who had either set up an internet service provider inside the US or bought infrastructure from an internet service provider and had their dedicated environment. But when we saw the scale was close to 5,000 hosts within the US, it was eye-opening. And the volume of traffic we could trace back to was nearly 60% of the account takeover attempts we saw within our customer base.
With that type of volume, we were curious why some of our competitors and some of the larger organizations hadn’t already recognised this and perhaps banded together to shut this down. We’re still working with law enforcement, but this group remains active. When we first started the research in June last year, there were about 6,000 to 6,200 hosts globally. Today, it’s just over 8,500. They continue to deploy new infrastructure in the US, mainly focused on Western Europe, Eastern Europe, and some infrastructure in the Asia Pacific and South Asia, Canada, and North America.
3. The report mentions that attackers bypass multi-factor authentication (MFA) by stealing session tokens. How does this method work, and what does it mean for organizations relying on MFA?
The Tactics, Techniques, and Procedures (TTP) these threat actors use will initially send a phishing lure or a phishing email to an unsuspecting victim. Often these victims are opening them on their personal mobile phones or personal devices at home. When they click the email, it sometimes contains a document with links to a fake login page, prompting users to enter their Microsoft or Google Workspace credentials. It then captures the username, password, and multifactor authentication token.
I think most organizations assume multifactor authentication is bulletproof and that no one could bypass that without access to your device. Many multifactor authentication systems allow threat actors to generate multiple session tokens from a single MFA input. For example, after entering an MFA token once, they can create 10-20 session tokens, which may remain valid for up to 30 days.
The initial TTP we saw that led to the unraveling of the Söze Syndicate was an unusual pattern: someone logging in but never accessing email. We thought that was unusual. When creating multiple sessions, they generate these session tokens, and they suddenly disappear. During inspection, we asked whether these session tokens had ever been presented again to the Microsoft systems. We saw that they capture these session tokens and pass them to a completely separate infrastructure.
They usually log in from the United States, often very close to where the victim is. If they’re located in Texas or California, you’d see the login from California that wouldn’t trip any immediate alarms. Then, they clone the entire inbox or trick the user into installing specific software. In our report, we mentioned several of the different TTPs they use. There’s a piece of software called Perfect Data. It’s a legitimate application, but if it’s installed and enabled, these threat actors essentially create a perfect copy of their inbox indefinitely with no login activity. A lot of the logging is unavailable to folks like us, the MSPs trying to protect them.
They’re using sophisticated, stealthy techniques and are willing to wait weeks and sometimes up to six months. We’ve seen that they’ve read somebody’s email and continually monitored things before taking action, which is very different from what we see in ransomware. And the payoff is often as low as $75. They take an invoice and manipulate where the payment should be sent. They’re very persistent and willing to play the long game, using AI and other technologies to automate much of their work.
4. Why are SMBs particularly vulnerable to these evolving BEC attacks, and what gaps in their security posture are being exploited?
SMBs are particularly vulnerable to evolving BEC attacks due to several factors. While a small number of organizations don’t use multifactor authentication, more advanced cybersecurity measures tend to be adopted first by enterprises and gradually reach SMBs. Additionally, many SMBs lack dedicated cybersecurity staff and may even outsource their IT functions. This creates a situation where malicious activity, like stealthy email interactions, can go unnoticed for months or even years without advanced defense systems or visibility. Unlike ransomware, which is often immediately noticeable after detonation, account takeover and BEC can take much longer to detect. Moreover, SMBs may be targeted for their valuable contacts. For example, if an SMB works with a Fortune 500 company, attackers may focus on a few key inboxes to access the larger target. This method isn’t new. It was also used in the Target breach, where an HVAC vendor was exploited to gain access.
5. What practical steps can SMBs take to protect themselves against these advanced BEC attacks?
We discussed how MFA can be bypassed, but it’s still an essential control to have in place. It’s one additional step. In many cases, multifactor authentication can be set up to facilitate two-way communication. You should provide your token, and the server will send you a challenge. You should type a two-digit or three-digit number to confirm what returned. Some types of multifactor authentication are better for preventing these attacks, but monitoring these systems is also critical. Many organizations have moved from an on-premise exchange server to Microsoft 365, including Sharepoint, which has their Word documents and all their business data on the cloud. It’s essential to have a managed security service provider looking at the telemetry of Microsoft, Azure, and Google environments to identify threats.
6. What trends do you foresee in the evolution of BEC attacks over the next few years?
The first trend I have noticed affecting cybersecurity and across the board is AI. Large Language Models (LLMs) are used by both defenders and threat actors, with threat actors getting a higher advantage. In the past, BEC was involved in manually reading your email or manually searching for keywords like “transfer,” “tax,” or “invoice.” Today, threat actors can download vast amounts of data and use an LLM to analyze it, even if you aren’t an extremely skilled programmer. Looking ahead, we can expect more sophisticated attacks using AI and automated tools.
On a positive note, law enforcement will partner with organizations like ours to tackle large-scale attacks before they cause huge damage. The irony is that when we effectively defend our customers from these malicious platforms, technically, no crime has taken place. There needs to be a new shift in the strategies industries and law enforcement use to tackle these issues.
I would encourage organizations to reach out to their managed security service providers based on their ability to understand where the threat landscape is truly shifting. I think it’s crucial to have your finger on the pulse of where these threat actors are gaining their biggest benefit and shifting their efforts so we can stay one step ahead of them.
Dilki Rathnayake is a cybersecurity content writer and the Managing Editor at Information Security Buzz, with a BSc in Cybersecurity and Digital Forensics. She is skilled in computer network security and Linux system administration. Dilki has also led awareness programs and volunteered for communities promoting best practices for online safety.
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.
