When Email Attacks
Why MFA Isn’t Enough to Stop Business Email Compromise Anymore. A plain-English guide to BEC, how it’s evolved, and what your organization can do about it.
What if I told you that your Microsoft 365 login—complete with strong passwords and MFA—could still let an attacker stroll right in?
Business Email Compromise (BEC) isn’t just rising. It’s exploding. From fake invoices to executive impersonations, attackers are becoming frighteningly good at blending in, slipping past security defenses, and making off with wire transfers, payroll deposits, and vendor payments. And unfortunately, even well-trained employees and MFA aren’t enough to stop them anymore.
So, what changed?
First, let’s talk about the scale of the threat:
- 💸 $2.7 billion in BEC-related losses were reported in 2022 alone.
- 🎯 90% of cyberattacks start with a phishing email.
- 📉 BEC represented over 50% of all social engineering attacks in 2022 — nearly double the previous year.
- 📊 Companies with <500 employees saw the average breach cost jump from $2.92M in 2022 to $3.31M in 2023.
- 👩 Employee training alone can reduce breach costs by $232,867.
These aren’t numbers you can ignore. And they aren’t hypothetical anymore.
Why MFA Doesn’t Stop Today’s Email Attacks
Let’s bust the myth: MFA is good, but not foolproof. The problem? Attackers don’t always try to “break in.” Sometimes, they just walk in with your keys.
Tools like Evilginx (yes, that’s really its name) intercept user logins and steal session tokens—which means even if someone has MFA turned on, attackers can hijack their session after a legitimate login. It’s called Adversary-in-the-Middle (AiTM), and it’s a fast-growing technique among professional cybercriminals.
Once inside, attackers monitor email, impersonate executives, intercept invoices, and redirect payments without raising red flags. Because technically, it looks like your own people are logged in.
Examples That Should Give You Pause
These are real-world BEC tactics from the field:
- Payroll Diversion: An attacker changes a direct deposit in HR systems, rerouting a paycheck.
- Vendor Impersonation: A trusted supplier sends a legitimate-looking invoice—with one small change: the bank account.
- Executive Spoofing: “Can you buy some gift cards? I need them for a last-minute event.”
- Legal Threat Scams: A compromised attorney email demanding payment—or else.
- Admin Account Takeover: Control of your Microsoft 365 environment. Yes, everything.
Sound like phishing? It is. But it’s phishing with a Harvard degree and a much bigger budget.
So, What Can Be Done? (Besides panic.)
The good news: this is manageable. It just requires a smarter strategy—especially for small and mid-sized businesses without giant security teams. Here’s what leading IT providers like The Electronic Office are starting to recommend:
🛡 Step 1: Identity Threat Detection & Response (ITDR)
This is the modern answer to modern threats. Instead of focusing just on login protection, use ITDR tools like Huntress Managed ITDR :
- Monitor activity after a login (because that’s where attackers hide)
- Detect odd behavior: logins from unexpected locations, unusual mailbox rules, rogue apps
- Respond automatically: locking accounts or guiding remediation
- Filter noise: Only real, human-validated threats are escalated
It’s like hiring a 24/7 security team that knows the difference between a mistake and a real threat.
👩🏫 Step 2: Train and Test Your Team
Even the best tech won’t catch everything. Run simulated phishing campaigns. Teach staff what to look for: urgent language, unexpected links, weird sender names.
⚙️ Step 3: Layer in Smart Access Policies
Microsoft’s conditional access policies can limit logins by region, device, or risk score. Combine this with MFA for extra friction in all the right places.
📞 Step 4: Create Verification Rules
Make phone verification mandatory for any finance or vendor changes. It’s old-school—but it works.
The Bottom Line
If you’re using Microsoft 365, email is your organization’s front door—and BEC attackers have learned how to pick the lock. The threats are real, evolving, and no longer just the domain of large enterprises. But with layered defenses, smarter tools, and strong partners, you can keep your data (and your dollars) safe.
Want to know how well your current defenses hold up? A conversation with your MSP might be the best place to start. Don’t have one, we’re here 24/7/365—even if you aren’t one of our clients.
