Business Email Compromise just got an upgrade, and it’s not good news for defenders.
On February 23, Microsoft Threat Intelligence published details on a BEC campaign that hit more than 89,000 users across 74,000 organizations in a roughly two-hour window. Nearly all targets were in the United States, spanning retail, financial services, technology, and beyond.
This wasn’t your typical BEC attack. It was faster, wider, and designed to bypass the human bottleneck that has traditionally limited these schemes.
What Made This Campaign Different
Most BEC operations work like a con artist working a room one person at a time. An attacker impersonates an executive, waits for the target to respond, builds trust, and then drops payment instructions. It’s effective, but slow. A single operator might reach hundreds or a few thousand targets per campaign.
This campaign threw that model out the window.
The attackers routed their messages through Mandrill, a legitimate transactional email service, using a likely-compromised Brazilian domain. That gave them the infrastructure to blast personalized CEO-impersonation emails to tens of thousands of mailboxes in minutes rather than days.
Here’s the kicker: the payment instructions were embedded in the very first email. No back-and-forth. No rapport-building. Each message included a fabricated email thread with a fake vendor invoice for $95,000, complete with the target company’s name, CEO name, and domain, all generated at scale. Ten rotating subject lines helped the messages dodge basic signature-based detection.
The attackers didn’t need to be convincing in conversation. They just needed a small percentage of recipients to act without thinking.
Why This Should Concern Every Organization
This campaign represents an inflection point. BEC is evolving from a craft into an industrial operation:
Volume over precision. By embedding payment details upfront and removing the need for follow-up, attackers can target orders of magnitude more organizations per campaign. Even a tiny success rate on 89,000 targets represents significant financial bonanza for the threat actors.
Legitimate infrastructure abuse. Sending through a recognized email service means better deliverability and a harder time for security tools that rely on sender reputation alone.
Personalization at scale. The emails weren’t generic. CEO names, company domains, and branded invoice templates were dynamically inserted, making each message look like it originated from inside the organization.
Speed that outpaces manual response. The entire campaign ran in roughly 120 minutes. By the time most security teams would notice the pattern, the emails had already landed.
How CyberMSI’s MDR Services Help Stop BEC Before It Causes Damage
At CyberMSI, we built our Managed Extended Detection and Response (MXDR) service specifically for the kinds of threats that outrun traditional defenses. Here’s how our approach directly addresses the tactics used in this campaign:
24×7 SOC With a 21-Minute Mean Time to Respond
Speed is the critical variable. When 89,000 emails land in a two-hour window, organizations need detection and response that operates in minutes, not business hours. Our SOC team monitors your environment around the clock using Microsoft Defender XDR and Sentinel SIEM, backed by Microsoft Copilot for Security. We detect, investigate, and disrupt threats at first point of contact, including suspicious email patterns that signal a BEC wave in progress.
Advanced Email Threat Detection Through Microsoft Defender for Office 365
CyberMSI configures and actively manages anti-phishing policies, impersonation protection, and Zero-hour Auto Purge (ZAP) within your Microsoft environment. When a campaign like this one emerges and new threat intelligence becomes available, ZAP can retroactively quarantine malicious messages that have already been delivered. We ensure these capabilities aren’t just licensed, but they’re tuned, monitored, and acted upon.
Coverage for 97%+ of MITRE ATT&CK TTPs
The techniques in this campaign involved spearphishing (T1566.002), executive masquerading (T1036), and financial theft (T1657) are well-mapped in the MITRE ATT&CK framework. CyberMSI’s detection rules and threat hunting operations cover over 97% of known ATT&CK techniques, so we’re not waiting for a specific campaign signature. We’re watching for the behaviors that underpin all of them.
Proactive Threat Hunting and Intelligence
Our AI agents and cybersecurity experts don’t just respond to alerts. They actively hunt for indicators of compromise and anomalous patterns like a sudden spike in CEO-impersonation emails from an unfamiliar sender domain, or outbound financial communications to free webmail addresses. This is the kind of contextual analysis that turns raw telemetry into early warning.
Identity and Email Security Hardening
Through our Identity Threat Detection and Response (ITDR) service and Security & Compliance Automation, CyberMSI helps organizations configure email authentication (SPF, DKIM, DMARC), monitor Exchange connector integrity, and enforce conditional access policies that make it significantly harder for attackers to abuse trusted infrastructure against your users.
The Bottom Line
BEC is no longer a low-volume, high-touch social engineering game. Attackers are industrializing it by using legitimate infrastructure, dynamic personalization, and volume-first tactics to overwhelm organizations that rely on manual processes or point-in-time defenses.
The organizations best positioned to weather these campaigns are those with continuous detection, rapid response, and deeply integrated email security, which is exactly what CyberMSI delivers as a Microsoft full-stack security partner.
Don’t wait for the next campaign to find out if your defenses hold up.
At CyberMSI we’ve an “AI + analyst-on-the-loop” SOC model to help customers mitigate risk, cut costs and prevent disruptions with AI while our analysts execute response actions or approval workflows based on business context, not generic playbooks.
Powered by Microsoft Unified Security Operations using Microsoft Defender XDR and Microsoft Sentinel SIEM, we deliver MDR for AI agents, identities, endpoints, data, multi-cloud, and third party access.
Our difference is not AI-based automation alone; it is Accountable & Intelligent automation.
Get Your Free AI Security Risk Assessment today.
#Cybersecurity #BEC #BusinessEmailCompromise #MDR #ManagedDetectionAndResponse #MicrosoftSecurity #ThreatIntelligence #EmailSecurity #CyberMSI #Phishing #XDR #InfoSec