Deceptive Signatures: Advanced Techniques in BEC Attacks

March 26, 2025

Business Email Compromise (BEC) is one of the most common forms of cyberattack targeting the modern organization. At its most basic level, the technique is simply one of impersonation, attempting to masquerade as a colleague of business partner to extract information or funds from a target. The attack requires low tech proficiency and has a low barrier to entry. However, just because an attack is simple doesn’t mean it can’t become more complex. New tools are increasingly being brought to bear in BEC attacks, leveraging advanced social engineering, AI-driven personalization, and complex phishing kits in order to overcome MFA protections.

One of the more interesting techniques discovered by investigators in recent months is a form of parasitic BEC phishing that involves appending the phish to a genuine email by attacking the email signature block. By default, both Microsoft 365 and Google Workspace do not track changes to the email signature, and many users do not pay attention to signatures, since they are normally unchanging, marking them out as effective targets for the threat actor. If the threat actor can get access to a business email account, it is possible for them to insert an HTML formatted phishing email into the victim’s email signature block, making it appear as a continuation of the legitimate email. In this way, an inattentive user can accidentally send phishing emails to every user they correspond with, spreading the phish without triggering the kind of security detections that a mass phish using the email would cause.

Investigators have uncovered multiple examples of this tactic being employed in the wild. One such case used the compromised email of a college administrator and targeted students. In this campaign, the threat actor modified the signature of the college administrator to contain a warning that the student’s financial details needed to be verified in order to receive financial aid, together with a link to a Google Form. If the understandably scared student accessed the form and verified their information in this way, they would be passing all their financial details directly to the threat actor. Unless the administrator realized their signature had been modified, it would be very difficult for this threat to be detected. To mitigate campaigns of this type in the future, it is strongly recommended that enterprises implement some form of mechanism to notify users when their email signatures have been modified.

More from Blackwired

March 18, 2025

Red Teaming for Generative AI: A Practical Approach to AI Security

Generative AI has risks, but red teaming can identify flaws, ensuring secure, fair, and reliable AI systems for organizations.

Read more
March 10, 2025

Exploiting DeepSeek-R1: Breaking Down Chain of Thought Security

DeepSeek-R1's exposed CoT reasoning can leak secrets, posing security risks. Companies should filter out "think" tags to avoid exploitation.

Read more
March 3, 2025

Your item has sold! Avoiding scams targeting online sellers

Sellers on online marketplaces face fraud risks like phishing, data theft, and malware, requiring strong security awareness and protections.

Read more

© 2024 Blackwired. All Rights Reserved.