WhiteMail
ブログに戻る
·WhiteMail Security Team#weekly-report#BEC

Weekly Security Report #1 — BEC didn't go away, it got quieter

Welcome to the first WhiteMail weekly security report. Each week we share what stood out across the email we analyzed — patterns, a technique worth understanding, and something you can act on.

This week

The new year reliably brings a wave of business email compromise (BEC). Budgets reset, invoices pile up, and finance teams are moving fast — exactly the conditions attackers want.

What stood out in this week's samples: the highest-risk messages carried no link, no attachment, and no malware. Just a few sentences of text. A short note that appears to come from a senior leader or a known supplier, asking to update banking details before a payment, or to push a transfer through quietly because "I am in meetings all day."

These are invisible to anything that scans for a malicious payload, because there is no payload. The attack is entirely in the language and the relationship it borrows.

Technique in focus: the trusted-sender pivot

The most effective BEC does not spoof a stranger. It rides on an identity the recipient already trusts:

  • A display-name match with no matching domain — the name reads "CFO Jane Park" while the actual address is a free webmail account.
  • A Reply-To that diverges from the From — you read the familiar name, but your reply quietly routes to the attacker.
  • A plausible reason to break routine — urgency, secrecy, travel, a closing deadline.

None of these is malicious on its own. Together, in the right thread at the right moment, they are the whole attack.

What you can do

  • Treat any banking-detail or payment change as a verification trigger, every time, through a second channel you already trust — never by replying to the email.
  • Watch the gap between the display name and the actual address, and between From and Reply-To.
  • Be most careful exactly when the message tells you to hurry. Urgency is not evidence of legitimacy; in BEC it is the method.

This is precisely the reconciliation WhiteHat runs on every message — SA-01 on identity, SA-04 on intent — so the trusted-sender pivot surfaces before a human has to notice it.


Paste a suspicious message into the Analyze console to see the per-agent breakdown for yourself.