--- title: "Business Email Compromise (BEC) Scams Take New Dimension With Multi-Stage Attacks | DMARC Report" description: "Microsoft" image: "https://dmarcreport.com/og/blog/business-email-compromise-bec-scams-take-new-dimension-with-multi-stage-attacks.png" canonical: "https://dmarcreport.com/blog/business-email-compromise-bec-scams-take-new-dimension-with-multi-stage-attacks/" --- Quick Answer Adversary-in-the-middle is an attack type where malicious actors intercept authentication between victims and a genuine authentication service to compromise identities or perform other malicious activities. Share [ ](https://www.linkedin.com/sharing/share-offsite/?url=undefined%2Fblog%2Fbusiness-email-compromise-bec-scams-take-new-dimension-with-multi-stage-attacks%2F "Share on LinkedIn") [ ](https://twitter.com/intent/tweet?text=Business%20Email%20Compromise%20%28BEC%29%20Scams%20Take%20New%20Dimension%20With%20Multi-Stage%20Attacks&url=undefined%2Fblog%2Fbusiness-email-compromise-bec-scams-take-new-dimension-with-multi-stage-attacks%2F "Share on X/Twitter") [ ](https://www.facebook.com/sharer/sharer.php?u=undefined%2Fblog%2Fbusiness-email-compromise-bec-scams-take-new-dimension-with-multi-stage-attacks%2F "Share on Facebook") [ ](https://reddit.com/submit?url=undefined%2Fblog%2Fbusiness-email-compromise-bec-scams-take-new-dimension-with-multi-stage-attacks%2F&title=Business%20Email%20Compromise%20%28BEC%29%20Scams%20Take%20New%20Dimension%20With%20Multi-Stage%20Attacks "Share on Reddit") [ ](mailto:?subject=Business%20Email%20Compromise%20%28BEC%29%20Scams%20Take%20New%20Dimension%20With%20Multi-Stage%20Attacks&body=Check out this article: undefined%2Fblog%2Fbusiness-email-compromise-bec-scams-take-new-dimension-with-multi-stage-attacks%2F "Share via Email") ![Business Email Compromise (BEC) Scams Take New Dimension With Multi-Stage Attacks](https://media.mailhop.org/dmarcreport/images/2022/04/dmarc-alignment-6379.jpg) Microsoft’s Defender Experts recently discovered a sophisticated multi-stage AiTM (adversary-in-the-middle) phishing and BEC (business email compromise) attack targeting numerous \*\*banking and financial services organizations. Read on to learn more about the latest [email security](https://dmarcreport.com/) threat. > Domain spoofing is trivially easy without DMARC enforcement, says Brad Slavin, General Manager of DuoCircle. Anyone can send email that looks like it comes from your domain. DMARC with p=reject is the only way to tell receiving servers to block unauthorized senders completely. \_According to the [FBI’s 2022 Internet Crime Report (IC3)](https://www.ic3.gov/Media/PDF/AnnualReport/2022IC3Report.pdf), 300,497 US-based victims reported phishing incidents in a single year, and Business Email Compromise (BEC) caused more than $2.7 billion in direct losses. \*\*Adversary-in-the-middle is an attack type where malicious actors intercept authentication between victims and a genuine authentication service to compromise identities or perform other malicious activities. The adversaries \*\*position themselves between the service and the user to intercept MFA (Multi-Factor Authentication) and capture the [session cookie](https://www.techopedia.com/definition/4910/session-cookie). Afterward, they can replay the session and use the stolen session cookie to impersonate the user . Thus, they can access the impacted user’s applications and resources to launch business email attacks and perform other nefarious activities. The recent attack, which the Microsoft experts tracked as **Storm-1167**, achieved initial access by targeting a trusted vendor. Then the threat actors used an \*\*indirect proxy for distributing phishing pages to the targets, a report by [Microsoft](https://latesthackingnews.com/2023/06/11/unmasking-the-multi-stage-aitm-phishing-and-bec-attack-on-financial-institutions/) revealed. The \*\*phishing emails that the perpetrators sent contained a link that redirected victims to a fake Microsoft sign-in page, and when the users entered their [personal information](https://www.wmar2news.com/local/johns-hopkins-impacted-by-widespread-cyberattack-personal-information-may-be-affected), they used it to launch further replay attacks. ## How Experts At Microsoft Detected And Contained The Attack? Since the Microsoft experts are \*\*actively researching the latest BEC and AiTM techniques, they designed advanced hunting detections for Microsoft’s Defender Experts service. They combined the program’s detections with their analyses of abnormal user behavior and emails and detected the attack in its early stages. As of 2025, DMARC is mandatory under multiple compliance frameworks. [CISA BOD 18-01](https://www.cisa.gov/news-events/directives/bod-18-01) requires p=reject for US federal domains. [PCI DSS v4.0](https://www.pcisecuritystandards.org/) mandates DMARC for organizations processing payment card data as of March 2025\. Google and Yahoo require DMARC for bulk senders (5,000+ messages/day) since February 2024, and [Microsoft began rejecting](https://learn.microsoft.com/en-us/defender-office-365/email-authentication-dmarc-configure) non-compliant email in May 2025\. The UK [NCSC](https://www.ncsc.gov.uk/collection/email-security-and-anti-spoofing), Australia’s [ASD](https://www.cyber.gov.au/resources-business-and-government/essential-cyber-security/ism/cyber-security-guidelines/guidelines-email), and Canada’s [CCCS](https://www.cyber.gc.ca/en/guidance/implementation-guidance-email-domain-protection) all mandate DMARC for government domains. Cyber insurers increasingly require DMARC enforcement as an underwriting condition. They not only detected but also analyzed the complete attack chain and identified and \*\*quickly reached out to the impacted customers. Furthermore, they continuously monitored the attack for additional [compromised accounts](https://www.securityweek.com/microsoft-okta-confirm-data-breaches-involving-compromised-accounts/) or phishing \*\*pattern changes because the attack unfolded into a massive campaign later. ## How The Email Attack Started? The malicious actors planned a sophisticated phishing campaign against the employee of an organization, a trusted vendor for many businesses. They used a URL that led the victims to Canva, an online graphic design platform that allows users to create visual posters, presentations, and other graphics. The [adversaries](https://www.securityweek.com/33-new-adversaries-identified-by-crowdstrike-in-2022/) had cleverly designed the \*\*Canva webpage that looked like a OneDrive document preview. Once clicked, the image took victims to a spoofed Microsoft sign-in page to authenticate. After compromising the vendor’s email account, the threat actors cleverly extracted email addresses from their email threads and sent over 16,000 similar Canva emails . The Microsoft researchers mention in the report that the adversaries read and \*\*responded to the emails from the recipients who doubted the [phishing](https://dmarcreport.com/blog/phishing-smishing-vishing-everything-you-need-to-know/) email to make them believe it was a genuine message. They then removed the emails and responses from the inbox. ![Dmarc report](https://media.mailhop.org/dmarcreport/images/2023/06/dmarc-report.jpg) ## What Can Be The Consequences Of Such Attacks? We can see tremendous growth in such \*\*multi-stage attacks of AitM phishing and BEC combination, like software supply chain attacks. According to the latest report by the [Internet Crime Complaint Center (IC3)](https://www.ic3.gov/Media/Y2023/PSA230609) of the FBI, losses from BEC scams rose by **17%** from December 2021 to December 2022\. Such BEC attacks aim to \*\*trick recipients into initiating wire transfers, transferring cryptocurrency, or sharing private personal and financial information. The IC3 has recorded 277,918 BEC incidents internationally In the past decade, with over $50 billion loss . As per Microsoft, such email attacks show how complex BEC and AiTM threats are, \*\*targeting genuine relationships between entities like vendors, partner businesses, and suppliers with financial fraud on the mind. ## Ways To Protect Against Such Multi-Stage Attacks Experts point out that while such AiTM phishing attempts try to **target MFA**, implementation of MFA remains essential in stopping a wide variety of threats. Following are some ways you can protect your organization against such email [security threats](https://www.analyticsinsight.net/top-10-saas-cybersecurity-threats-you-must-know-in-2023/): - \*\*_Foolproof authentication:_ The general measure for any identity compromise is \*\*resetting the password for the compromised user. However, since malicious actors compromised the sign-in session in the above attack, a password reset was not a practical solution. \_Even if the organization had reset the compromised user’s password, the attackers could set up persistence methods to sign in by tampering with MFA. \_Thus, organizations must work with their identity provider and ensure they implement security controls like MFA. Microsoft customers can use the **Microsoft Authenticator**, certificate-based authentication, and [FIDO2](https://hideez.com/en-int/blogs/news/fido2-explained) security keys. - \*\*_Advanced anti-phishing solutions:_ Businesses must invest in advanced anti-phishing solutions that scan and monitor visited websites and incoming emails. For example, they can use web browsers that \*\*automatically identify and block malicious websites, including the ones that threaten actors used in this phishing campaign, and solutions that can detect and block malicious links, emails, and files. - \*\*_Conditional access policies:_ Organizations can implement [conditional access](https://oxfordcomputertraining.com/glossary/conditional-access/) policies for \*\*evaluating sign-in requests using other user or device identity pointers like IP location or device status. - \*\*_Continuous monitoring:_ Businesses must continuously monitor anomalous or **suspicious activities**. Security teams can look for suspicious sign-in attempts by watching user location, ISP, the usage of anonymizer services, etc. ## Final Words This Storm-1167 BEC incident highlights the \*\*growing complexity of businesses’ email attacks and the comprehensive defenses they need. Furthermore, it underscores why [organizations](https://dmarcreport.com/blog/what-is-dmarc-compliance-and-how-can-you-achieve-it/) require \*\*proactive threat hunting to discover new tactics, techniques, and procedures (TTPs) to remediate these threats. As done by Microsoft experts, the continuous evolution of these threats, like the use of indirect proxy by hackers in this campaign, emphasizes that organizations \*\*must remain vigilant and proactive concerning their cybersecurity measures . ## Sources - [CISA Binding Operational Directive 18-01](https://www.cisa.gov/news-events/directives/bod-18-01) - [Microsoft Outlook DMARC Enforcement May 2025](https://learn.microsoft.com/en-us/defender-office-365/email-authentication-dmarc-configure) (2025) - [PCI DSS v4.0 - DMARC Requirement](https://www.pcisecuritystandards.org/) (2025) ## Topics [ email security ](/tags/email-security/)[ News ](/tags/news/) ![Vasile Diaconu](https://media.mailhop.org/dmarcreport/images/team/vasile-diaconu.jpg) [ Vasile Diaconu ](/authors/vasile-diaconu/) Operations Lead Operations Lead at DuoCircle. Runs project management, developer coordination, and technical support execution for DMARC Report. [LinkedIn Profile →](https://www.linkedin.com/in/vasile-diaconu/) ## Take control of your DMARC reports Turn raw XML into actionable dashboards. Start free - no credit card required. [Start Free Trial](https://app.dmarcreport.com/) [Check Your DMARC Record](/tools/dmarc-checker/) ## Related Articles [ Foundational 4m 5 Mind-Boggling Phishing Attacks in Australia 2023! Feb 8, 2024 ](/blog/5-mind-boggling-phishing-attacks-in-australia-2023/)[ Foundational 4m Akira flaunts victims, Idaho targets orthodontist, AI granny protects Nov 22, 2024 ](/blog/akira-flaunts-victims-idaho-targets-orthodontist-ai-granny-protects/)[ Foundational 4m Alternatives to DMARCLY's Blog Section for Learning About Email Authentication and DMARC Nov 6, 2023 ](/blog/alternatives-to-dmarclys-blog-section-for-learning-about-email-authentication-and-dmarc/)[ Foundational 4m Ambient Light Spying, Cybersecurity Prices Drop, Euro 2024 Threats Jul 10, 2024 ](/blog/ambient-light-spying-cybersecurity-prices-drop-euro-2024-threats/) ```json {"@context":"https://schema.org","@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com","logo":{"@type":"ImageObject","url":"https://dmarcreport.com/images/dmarcreport-logo.png"},"description":"DMARC reporting and email authentication management. Monitor aggregate and forensic DMARC reports, analyze authentication results, and enforce DMARC policies across all your domains.","parentOrganization":{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138883901","name":"DuoCircle LLC","url":"https://www.duocircle.com","sameAs":["https://www.wikidata.org/wiki/Q138883901","https://www.crunchbase.com/organization/duocircle-llc","https://www.linkedin.com/company/duocircle","https://github.com/duocircle"],"subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]},"sameAs":["https://www.wikidata.org/wiki/Q138898167","https://www.linkedin.com/company/duocircle","https://x.com/duocirclellc","https://www.g2.com/products/dmarc-report/reviews","https://github.com/duocircle","https://www.crunchbase.com/organization/duocircle-llc","https://www.trustradius.com/products/duocircle/reviews"],"aggregateRating":{"@type":"AggregateRating","ratingValue":"4.8","reviewCount":"470","bestRating":"5","worstRating":"1","url":"https://www.g2.com/products/dmarc-report/reviews"},"contactPoint":{"@type":"ContactPoint","contactType":"customer support","url":"https://dmarcreport.com/support/"},"knowsAbout":["DMARC","DMARC Reporting","DMARC Aggregate Reports","DMARC Forensic Reports","Sender Policy Framework","DKIM","Email Authentication","Email Security","DNS Management","Email Deliverability"]} ``` ```json {"@context":"https://schema.org","@type":"WebSite","name":"DMARC Report","url":"https://dmarcreport.com","description":"DMARC reporting and email authentication management. Monitor aggregate and forensic DMARC reports, analyze authentication results, and enforce DMARC policies across all your domains.","publisher":{"@type":"Organization","name":"DMARC Report","url":"https://dmarcreport.com","logo":{"@type":"ImageObject","url":"https://dmarcreport.com/images/dmarcreport-logo.png"},"description":"DMARC reporting and email authentication management. Monitor aggregate and forensic DMARC reports, analyze authentication results, and enforce DMARC policies across all your domains.","parentOrganization":{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138883901","name":"DuoCircle LLC","url":"https://www.duocircle.com","sameAs":["https://www.wikidata.org/wiki/Q138883901","https://www.crunchbase.com/organization/duocircle-llc","https://www.linkedin.com/company/duocircle","https://github.com/duocircle"],"subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]}}} ``` ```json [{"@context":"https://schema.org","@type":"BlogPosting","headline":"Business Email Compromise (BEC) Scams Take New Dimension With Multi-Stage Attacks","description":"Microsoft's Defender Experts recently discovered a sophisticated multi-stage AiTM (adversary-in-the-middle) phishing and BEC (business email compromise) attack.","url":"https://dmarcreport.com/blog/business-email-compromise-bec-scams-take-new-dimension-with-multi-stage-attacks/","datePublished":"2023-06-12T07:23:55.000Z","dateModified":"2026-04-16T15:53:43.000Z","dateCreated":"2023-06-12T07:23:55.000Z","author":{"@type":"Person","@id":"https://dmarcreport.com/authors/vasile-diaconu/#person","name":"Vasile Diaconu","url":"https://dmarcreport.com/authors/vasile-diaconu/","jobTitle":"Operations Lead","description":"Vasile Diaconu is the Operations Lead at DuoCircle, the company behind DMARC Report and AutoSPF. He coordinates between engineering, product, and technical support - running project management, interfacing with developers on customer-reported issues, and making sure work that comes in through the support channel actually gets closed out. Vasile sits at the intersection of customer feedback and engineering execution, giving him a direct view of which email authentication problems customers hit most often in production.","image":"https://media.mailhop.org/dmarcreport/images/team/vasile-diaconu.jpg","knowsAbout":["SaaS Operations","Technical Support Coordination","Customer Issue Resolution","Engineering Program Management","Deployment Operations"],"worksFor":{"@type":"Organization","name":"DMARC Report","url":"https://dmarcreport.com"},"sameAs":["https://www.linkedin.com/in/vasile-diaconu/"]},"publisher":{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com","logo":{"@type":"ImageObject","url":"https://dmarcreport.com/images/dmarcreport-logo.png"},"description":"DMARC reporting and email authentication management. Monitor aggregate and forensic DMARC reports, analyze authentication results, and enforce DMARC policies across all your domains.","parentOrganization":{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138883901","name":"DuoCircle LLC","url":"https://www.duocircle.com","sameAs":["https://www.wikidata.org/wiki/Q138883901","https://www.crunchbase.com/organization/duocircle-llc","https://www.linkedin.com/company/duocircle","https://github.com/duocircle"],"subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]},"sameAs":["https://www.wikidata.org/wiki/Q138898167","https://www.linkedin.com/company/duocircle","https://x.com/duocirclellc","https://www.g2.com/products/dmarc-report/reviews","https://github.com/duocircle","https://www.crunchbase.com/organization/duocircle-llc","https://www.trustradius.com/products/duocircle/reviews"],"aggregateRating":{"@type":"AggregateRating","ratingValue":"4.8","reviewCount":"470","bestRating":"5","worstRating":"1","url":"https://www.g2.com/products/dmarc-report/reviews"},"contactPoint":{"@type":"ContactPoint","contactType":"customer support","url":"https://dmarcreport.com/support/"},"knowsAbout":["DMARC","DMARC Reporting","DMARC Aggregate Reports","DMARC Forensic Reports","Sender Policy Framework","DKIM","Email Authentication","Email Security","DNS Management","Email Deliverability"]},"mainEntityOfPage":{"@type":"WebPage","@id":"https://dmarcreport.com/blog/business-email-compromise-bec-scams-take-new-dimension-with-multi-stage-attacks/"},"articleSection":"foundational","keywords":"email security, News","wordCount":954,"image":{"@type":"ImageObject","url":"https://media.mailhop.org/dmarcreport/images/2022/04/dmarc-alignment-6379.jpg","caption":"Business Email Compromise (BEC) Scams Take New Dimension With Multi-Stage Attacks","width":900,"height":600},"speakable":{"@type":"SpeakableSpecification","cssSelector":[".answer-block","h1"]}}] ``` ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https://dmarcreport.com/"},{"@type":"ListItem","position":2,"name":"Blog","item":"https://dmarcreport.com/blog/"},{"@type":"ListItem","position":3,"name":"Foundational","item":"https://dmarcreport.com/foundational/"},{"@type":"ListItem","position":4,"name":"Business Email Compromise (BEC) Scams Take New Dimension With Multi-Stage Attacks","item":"https://dmarcreport.com/blog/business-email-compromise-bec-scams-take-new-dimension-with-multi-stage-attacks/"}]} ```