Brand protection and BEC attacks of 2021

The year started like 2020 did not end. Living in lockdown has proven to be fairly difficult for all of us and the cybercriminals are out there making it even worse. They are busy taking advantage of organizations trying to configure their journey to digital transformation, cloud adoption and remote working.

By combining the fast adoption of SaaS applications and the potential misconfiguration errors that inevitably arise, together with unknown vulnerabilities from third-party suppliers, we have a recipe for disaster for the good guys.

Recent cyberattacks

Let’s start by taking a look at the recently reported spoof attack against that reached over 200 million users. The Business Email Compromise (BEC) phish lured users to check for quarantined emails from a link within the email. Since the email came from a legitimate Microsoft domain, users assumed it was a legitimate message. The cybercriminals were then able to steal their O365 credentials when they accessed and inserted their credentials in a mirror page of the application. 

Attacks like this are not unique. If we look back 12 months earlier, Check Point Software reported that the Florentine Banker Attack started from an impersonation, this time from a look-alike domain to Microsoft. The adversaries were able to compromise O365 credentials and launch a man in the middle attack against two Financial Services organizations in the United Kingdom, eventually financially defrauding them of £1 million. 

Those attacks are becoming more prevalent, and I believe we will be seeing a lot more coming along. Verizon disclosed in its 2020 Data Breach Investigations Report that the top 3 sources of breaches were Phishing, Use of Stolen Credentials, and Misconfiguration. This is showing us a pattern of leveraging social engineering through advanced Business Email Compromise to steal credentials to cloud applications where businesses store or exchange sensitive information and data. 

In 2021, organizations must prioritize the protection of their domains against direct impersonation attacks and identifying then removing look-alike domains.

DMARC can combat spoofing

DMARC (Domain-based Message Authentication, Reporting & Conformance) uses two previously defined protocols, SPF and DKIM, to allow domain owners to explicitly tell the receiving email server what to do with an email that fails authentication. The enforcement of DMARC should be done both in the DNS and email gateway. When configuring a gateway with DMARC, you will be instructing your gateway to honour the policy of the sender’s domain, meaning it will ensure you are protecting your users against inbound impersonations of other domains. However, by enforcing DMARC on your DNS you will also be protecting your domains against direct spoofing attacks, thereby protecting your clients, business partners, internal users and wider supply chain. 

Check email DMARC setup

Gartner recently identified DMARC as a “Top 10 Security Projects for 2020-2021”. They determined that “organizations use email as the single source of verification, and users struggle to determine real messages from fakes.” The advice on the report is that organizations should look to implement and enforce use of the DMARC protocol to add an additional layer of trust and verification with the sender’s domain.

The implementation and enforcement of the protocol are crucial to closing the gap currently exploited by cybercriminals, however, it is only as part of a layered solution. With better targeted, well planned attacks and emails looking more similar to legitimate ones than ever before, it is highly important to empower internal users to identify malicious emails. Leveraging machine learning and behavioural analytics to highlight the potential threats within an user’s inbox is clearly the direction the industry is heading in to offer better protection against these types of threats.

It is also important to ensure that organizations use tools that complement one another and allow for a holistic view of its email attack surface. By gaining 360° visibility, the security operations team can have a more dynamic operating model that allows for faster detection and response, and ultimately, faster recovery from security incidents.

Attacks through supply chains, like SolarWinds are not far from what can happen through the impersonation of legitimate domains, and advanced Business Email Compromise. If you wish to discuss how Red Sift can help your organization protect its brand and domains against impersonation as well as its internal users against advanced Business Email Compromise, get in touch below.


Leo Do Carmo

16 Feb. 2021




Recent Posts


Red Sift Recognized on Deloitte’s EMEA Fast 500™ List

Francesca Rünger-Field

We’re thrilled to share that Red Sift has been included in Deloitte’s 2023 EMEA Fast 500 list. This recognition stems from 389% revenue growth over three years, $54 million in Series B funding, acquiring ASM innovator Hardenize, and introducing the Red Sift Pulse Platform. Read the press release here. About the award The Deloitte Technology Fast…

Read more
Brand Protection

The vital role of cybersecurity for Nonprofits: A deep dive 

Sean Costigan

Save the Children, a beacon of hope and change, has been dedicated to improving the lives of children for over a century. Founded in London, it now has a presence in 29 nations, employing 844 staff members in the UK alone and engaging over 3600 formal volunteers. As charities and nonprofits like Save the…

Read more

Red Sift brings DMARC data to the SOC with new Cisco XDR…

Rebecca Warren

Today, we’re thrilled to announce that we’re extending our partnership by joining the Cisco Security Technical Alliance and integrating Red Sift OnDMARC with Cisco XDR. This integration builds on the Domain Protection partnership we announced in November 2023 to bring visibility of business email compromise into the SOC (security operations center). At release, Red…

Read more

Preventing certificate related violations in cybersecurity frameworks:  A guide to certificate monitoring…

Rebecca Warren

TLS is one of the most widely adopted security protocols in the world allowing for unprecedented levels of commerce across the internet.  At the core of the TLS protocol is TLS certificates. Organizations must deploy TLS certificates and corresponding private keys to their systems to provide them with unique identities that can be reliably…

Read more