• Home
  • /Learn
  • /BEC scammers bypass Microsoft 365 multi-factor authentication
background image


BEC scammers bypass Microsoft 365 multi-factor authentication


Email scams have been going on since email addresses were created. To stop these scammers, security vendors and enterprises have created different security measures; however, attackers keep finding new ways to bypass those measures.

For instance, the Business Email Compromise (BEC) campaign combines sophisticated spear-phishing with Adversary-in-the-Middle (AiTM) tactic to circumvent corporate executives' Microsoft 365 multi-factor authentication.

This article explains how BEC attacks work, highlights standard techniques and offers security tips against phishers.

How did the BEC campaign target Microsoft 365 multi-factor authentication? 

A corporate user received a well-crafted email from a seemingly legitimate source. On clicking the appended link, the user was taken to a website controlled by the attacker. From there, the user was directed to the SSO page of Microsoft 365. Using AiTM, the attacker ran a reverse proxy to the authentication request between the victim and the Microsoft 365 website. 

When the victim fulfilled the MFA, the attacker gained access to the session token by virtue of being the proxy. This way, the attacker could log in using the session token, bypassing the Microsoft 365 multi-factor authentication. 

Here are a few examples of how the scam works:

  • Your company's regular vendor sends an invoice with an updated postal address.

  • A CEO instructs their secretary to purchase dozens of gift cards as employee incentives. Later, the CEO requests the serial numbers of the gift cards to purportedly send them via email immediately.

  • The title firm sends a message to a homebuyer with information on how to wire the down payment.

Stages of BEC attack

BEC attacks do not require advanced tools. They exist in various forms, with the amount of sophistication determined by the attacker's ability. Here's how a typical BEC attack plays out:

Phase 1: Conduct research and identify potential targets

BEC attacks are typically directed at executives or workers authorized to make payments on behalf of their companies. Attackers research their targets over days or weeks, mining contact information from websites, social media, and the dark web. They create a profile of their target organization before focusing on their victims. CEOs, lawyers, and accounts payable professionals are common BEC targets.

Phase 2: Plan the Attack

BEC attacks appear authentic and credible, unlike mass phishing emails’ strategy of "spray and pray." During the attack, scammers spoof email addresses, create look-alike domains, or pretend to be trusted vendors or colleagues.

Phase 3: Carry out the Attack

An actual BEC attack can consist of a single email or an entire thread, depending on how thorough the adversary is. Attackers use persuasion, urgency, and authority to gain the victim's attention. To facilitate payments to the phony account, the attacker instructs the victim to follow the wiring instructions.

Phase 4: Payment Distribution

Once the money gets transferred, the attacker distributes it among many accounts, making it impossible to trace the money trail. Even if organizations discover the BEC attack, money is unlikely to be recovered.

5 Ways to prevent a BEC attack

1. Be attentive: Exercise caution when sharing information online. When you openly share pet names, schools, family links, and birthdates, fraudsters can guess your password or answer your security questions.

2. Verify twice: Do not click on any links within the message if you receive an email or text message requesting you to update or verify your account information. Make sure the company is legitimate by contacting them and do not use the number the scammer provides.

3. Check the email: Check the spelling and email address in correspondence. To dupe victims, scammers use subtle distinctions.

4. Take care of what you download: Never open an email attachment from an unknown sender. Also, two-factor authentication (or multi-factor authentication) should never be disabled.

5. Verify payment and purchase requests: Confirm any changes to an account number or payment procedure with the person making the request. 


Most BEC attacks are supported by cloud-based infrastructure, allowing the phishers to scale their operations. They run activities from different IP addresses, locations, and timeframes, making it difficult for law enforcement agencies to trace them. Excellent cyber hygiene and alertness are a must to keep attackers at bay. Corporate users must ensure that they do not share their 2FA details with anyone to protect the sanctity of their accounts.

Sign up for our newsletter

Get the latest blog posts in your inbox biweekly!