How Barracuda detects and blocks BEC (Business Email Compromise) attacks

Business Email Compromise (BEC) is one of the costliest types of cybercrime in the world today. The FBI IC3 estimates that global losses from BEC attacks exceeded $2.9 billion in 2023 – and that’s just the reported incidents. What makes BEC so dangerous? These attacks bypass traditional spam filters because they don’t contain malicious links or attachments – they are precisely constructed emails that look like legitimate correspondence from a trusted person. Barracuda offers specialized BEC detection mechanisms that address this problem where classic defenses fail.

Table of contents

1. What is a BEC attack and why is it so difficult to detect?
2. What does a typical BEC attack look like?
3. Why don’t traditional spam filters detect BECs?
4. How does Barracuda detect BEC attacks?
5. Protection against account takeover (Account Takeover)
6. Artificial intelligence and behavioral analysis of emails
7. Key findings
8. FAQ
9. Summary

What is a BEC attack and why is it so difficult to detect?

Business Email Compromise is a category of attacks in which a cybercriminal impersonates a trusted person – most often a CEO, CFO, company lawyer or trusted vendor – to get an employee to make a wire transfer, disclose confidential information or perform some other financial/informational action.

The difficulty of detecting BEC is due to several factors. First, BEC attacks are highly targeted and personalized – criminals study the organization before attacking, learning about its structure, management communication style and current projects. The message is written to sound like the natural correspondence of a specific person, rather than a generic phishing email. Second, BEC messages usually do not contain malicious links or attachments – it’s just text, which makes malware signature and URL scanning filters have nothing to “catch”. Third, the messages are often sent from slightly modified domains (lookalike domains) or through hijacked employee accounts, making them credible to the recipient.

What does a typical BEC attack look like?

A typical BEC attack proceeds in several phases. Reconnaissance phase: the criminal explores LinkedIn, the company website, social media, public documents – gathering information about the organization’s structure, who is the CFO, who is responsible for wire transfers, what are the current projects and orders.

Preparation phase: registering a lookalike domain (e.g., company-invoices.com instead of company.com), or taking over an employee’s e-mail account by phishing, keylogger or brute-force attack on a weak password.

The attack phase: sending a message impersonating the CEO or a supplier with an urgent request for a transfer “outside standard procedure” (because we have an audit, because the transaction is confidential, because we need to act quickly). Time pressure and authority are key elements of BEC social engineering.

Fulfillment phase: the employee makes the transfer – and usually the discovery of the fracas comes a few days later, when the real person asks about an order they didn’t place.

Why don’t traditional spam filters detect BECs?

Classic spam filters operate on signatures – known patterns of malicious URLs, hashes of malicious files, reputation lists of spammers’ IP addresses. BEC uses none of these elements: the message comes from an unknown but untagged malicious address, it contains no links or attachments and its content is the only indicator of maliciousness.

SPF, DKIM and DMARC – standard email authentication mechanisms – protect against impersonation of the company’s domain by external senders, but do not help when the attack comes from a lookalike domain (a different domain, but one that looks similar) or when an employee’s account has been taken over.

How does Barracuda detect BEC attacks?

Barracuda Email Protection offers a multi-layered BEC detection mechanism based on artificial intelligence and behavioral analysis. A key component is Barracuda Sentinel, an AI engine that learns an organization’s normal communication patterns.

Sentinel analyzes hundreds of thousands of emails in an organization, building behavioral models for each employee: who they typically correspond with, at what times, with what style, from what devices. When a message appears that deviates from these patterns – even if it comes from a valid address – the system generates an alert or blocks the message.

Domain lookalike detection is another layer – Barracuda compares the sender’s domain with the domains of trusted partners and the internal organization, identifying similar but different domains (e.g. barracuda.com vs. barracuda-support.com). Header inspection detects discrepancies between “From” (the displayed sender) and “Reply-To” (the actual reply address) – a classic BEC trick.

Integration with web security solutions creates multi-layered protection against social engineering attacks.

Protection against account takeover (Account Takeover)

Many BEC attacks use hijacked employee accounts – making them extremely difficult to detect because the message comes from a legitimate company account. Barracuda Sentinel detects hijacked accounts through behavioral analysis: suddenly logging in from new geographic locations, changing the sending pattern, sending a large number of messages to external recipients, modifying email forwarding rules.

When the system detects a potentially hijacked account, it generates an alert to the administrator and can automatically log out the session and require re-authentication with MFA. Retrospective analysis also identifies messages sent from the account during a period when it may have been controlled by an attacker.

Artificial intelligence and behavioral analysis of emails

Barracuda Sentinel trains AI models on an organization’s actual communications data – not on generic phishing patterns. It’s the difference that matters: The CEO of one company writes differently than the CEO of another, corresponds with different people and at different times. A model “tailored” to a specific organization is much more effective than general rules.

The engine analyzes: the content of the message (style, vocabulary, sentence length), the subject of the message, the relationship between the sender and recipient, the time of sending, the pattern of headers, the history of correspondence between specific people. The result of the analysis is a risk assessment, based on which the system makes a decision: deliver, quarantine, block or add a warning banner for the recipient.

Key findings

• BEC is the costliest type of cybercrime, bypassing traditional filters by lacking links and attachments.
• Barracuda Sentinel detects BECs through AI and behavioral analysis specific to the organization, not generic signatures.
• Domain lookalike detection and header inspection address the most common BEC spoofing techniques.
• Account Takeover protection detects behavioral anomalies that indicate account compromise.
• AI models trained on an organization’s actual communications yield higher efficiency than generic rules.

FAQ

Does Barracuda Email Protection work with Microsoft 365 and Google Workspace? Yes – Barracuda integrates natively with Microsoft 365 and Google Workspace via API, complementing the native email protection of these platforms with BEC detection and advanced behavioral analysis.

How long does it take to “teach” the Sentinel behavioral model? Sentinel usually needs 2-4 weeks of communication history to build a reliable behavioral model. During this time, it operates in non-blocking monitoring mode.

Can Barracuda automatically notify users of suspicious messages? Yes – Barracuda can automatically insert warning banners in suspicious messages, informing the recipient that the message is coming from an external address or that anomalies have been detected.

How does Barracuda report BEC incidents to the security team? Barracuda offers an incident dashboard with threat categorization, incident history and export to SIEM. Alerts can be sent via email or webhook to ticketing systems.

Summary

BEC attacks are precise, personalized and increasingly expensive for victims. Traditional email protection simply doesn’t detect them because it operates on signatures that BEC doesn’t have. Barracuda Sentinel and Barracuda’s multi-layered email protection address this problem through AI and behavioral analysis tailored to the specifics of an organization. Contact Ramsdata to learn how Barracuda can protect your organization from BEC attacks and other email threats.