A. Mitre Att&Ck Matrix Analysis

The MITRE ATT&CK framework serves as a globally recognized repository that catalogues adversarial TTPs based on real-world cyber threat observations. It provides a systematic framework for analyzing attack stages and understanding adversarial tactics. The ATT&CK matrix categorizes tactics as the overarching goals of attackers, while techniques represent the specific methods employed to achieve these objectives, with additional sub-techniques refining these methods further. This phase of the study focuses on identifying TTPs within the ATT&CK matrix that are most applicable to BEC frauds, emphasizing unique aspects of email compromise attacks. These TTPs are then selected as an initial subset specifically relevant to BEC frauds and email infrastructures. The selection process prioritized techniques related to the email environment, email elements, and other infrastructure components commonly exploited in BEC frauds to ensure a targeted and accurate mapping within the framework.

B. Information Collection

One of the main challenges in studying BEC frauds is the absence of publicly available large-scale datasets or comprehensive disclosed reports. Unlike other cyber threats such as malware or ransomware, BEC fraud primarily relies on social engineering tactics, which are often underreported or documented in a fragmented manner. Due to this limitation, research in this area must rely on a combination of different data sources.

The second phase involves gathering and analyzing data from various sources to identify relevant TTPs in BEC frauds. When a technique was identified in the sources, it was taken into consideration and assessed for its applicability within the context of BEC attacks, ensuring a comprehensive mapping of tactics, techniques, and sub-techniques. The sources used in the investigation were:

1. Academic Literature: A comprehensive review of academic papers on BEC frauds was conducted, focusing on phishing, spoofing, document manipulation, malware, and other email-based attack vectors. This literature provided a theoretical foundation for understanding TAs’ techniques and behaviors in BEC incidents. Insights from academic studies were compared with findings from industry reports to ensure consistency in identifying relevant tactics and techniques.

2. Industry Cyber Threat Intelligence (CTI) Reports: CTI reports from leading cybersecurity firms were analyzed to gain insights into the latest tactics and techniques used by TAs in BEC frauds. These reports offer real-time data and practical examples from recent BEC campaigns, complementing the theoretical perspectives from academia and facilitating a cross-validation process.

3. Real Incident Response Data: Data from BEC cases handled by INCIDE Digital Data S.L. [29] provided firsthand examples of TTPs used by TAs. This real-world data, derived from actual incidents, included detailed attack paths and behaviors observed in BEC response scenarios, offering a unique perspective on TTP application.

C. TTP Extraction

The collected data was meticulously analyzed to identify relevant TTPs, focusing on tactics, techniques, and sub-techniques that might not be fully covered or might be named differently across sources. This analysis included:

1. Identification of Tactics: Tactics were identified by analyzing the intent of the attacker and the objectives of each attack phase. Each tactic represents a high-level goal within the BEC attack lifecycle, with consistency achieved by harmonizing terminology across different sources and aligning with the MITRE framework.

2. Identification of Techniques: Techniques, representing specific methods used to achieve each tactic, were extracted from the data. Some techniques were clearly defined, while others required interpretation due to variations in naming or categorization across sources.

3. Identification of Sub-Techniques: Variations of techniques, or sub-techniques, were identified where applicable. These sub-techniques were distinguished by their unique characteristics and specific relevance to BEC frauds.

D. Mapping to the Mitre Att&Ck Matrix

After identifying relevant TTPs, each element was mapped to the MITRE ATT&CK framework through a structured process that emphasized consistency and alignment with the framework’s classification standards:

1. Phase Alignment: Each tactic, technique, and sub-technique was aligned with the appropriate phase of the ATT&CK matrix based on its functional role in the attack lifecycle, for example, the registration of a typosquatting domain by an attacker is classified under the Resource Development (TA0042) phase. When a TTP could logically fit into multiple phases, the primary intent of the activity as described in the sources was used to determine the most suitable phase.

2. Objective Definition: The underlying objectives of each TTP were explicitly defined to ensure a clear understanding of its purpose within the BEC attack context. This step also helped to resolve ambiguities when a TTP description overlapped with multiple tactics, ensuring that classification reflected its dominant operational role.

3. Technique Matching: Identified techniques were compared against existing entries in the ATT&CK matrix to find the corresponding match. For example, the registration of a new device as a multi-factor authentication method is mapped to the Modify Authentication Process (T1556) technique under the Persistence (TA0003) tactic. For techniques with multiple names across sources, their functional intent and observed use cases were prioritized to determine the most appropriate ATT&CK-defined technique. Where overlaps occurred, all relevant techniques were noted for transparency.

4. Sub-Technique Selection: Sub-techniques were mapped to the ATT&CK matrix by analyzing their specific implementation details and aligning them with the most accurate existing sub-technique. For example, when TAs send malicious links to targeted accounts to harvest credentials and gain unauthorized access, this activity aligns with the Initial Access (TA0001) tactic, the Phishing (T1566) technique, and specifically the Spearphishing Link (T1566.002) sub-technique. If no direct match was available, new sub-techniques were proposed, ensuring alignment with the overarching logic and structure of the ATT&CK framework.

5. Redundancy and Uniqueness Analysis: Each mapped TTP was reviewed to eliminate redundancies and ensure uniqueness. When multiple sources described similar TTPs with varying levels of detail, the most comprehensive description was used, and its classification was aligned with the framework’s taxonomy. This ensured that every mapped TTP served a distinct and well-defined purpose.

E. Standardization of Definitions and Coding

In the final phase, TTP definitions were standardized within the MITRE ATT&CK framework:

1. Assignment of Identifiers: Each tactic, technique, and sub-technique was assigned a corresponding identifier within the ATT&CK framework (e.g., TA#### for tactics, T#### for techniques, and T####.### for sub-techniques). For proposed sub-techniques, the identifier of the parent technique was used followed by “.XX” (e.g., T####.XX).

2. Provision of Descriptions: Clear, concise descriptions were provided for each tactic, technique, and sub-technique to specify their roles in BEC incidents.

3. Citation of References: Each technique and sub-technique was supported with references from the information sources. Where sub-techniques were grouped under a single reference, either the entire group was covered or individual references were cited as needed.

4. Development of a Schematic Representation: A visual schematic of the mapped matrix was developed, offering an overview of BEC-specific TTPs and their placement within the broader ATT&CK framework.

A. Reconnaissance (TA0043)

Reconnaissance is the phase where TA meticulously select their targets, setting the stage for subsequent malicious activities. During this tactic, various techniques are employed to gather critical intelligence about the victim organization and identify potential vulnerabilities. The following techniques are commonly observed in BEC incidents:

1. Active Scanning (T1595): Attackers conduct scans of public IP addresses on the Internet to identify potential vulnerabilities or misconfigurations related to mail services. Sub-techniques include:

   1. Vulnerability Scanning (T1595.002): This involves scanning the Internet for exposed on-premise mail servers with vulnerabilities or misconfigurations that could be exploited to gain unauthorized access [30]. Identifying and exploiting these weaknesses allows attackers to establish a foothold within the victim organization’s email ecosystem.

2. Victim Organization Information (T1591): This overarching technique includes various sub-techniques for gathering intelligence about the target organization, which is crucial for identifying potential targets and refining attack strategies in BEC frauds [16]. Sub-techniques include:

   1. Business Relationships (T1591.002): TA use open-source intelligence (OSINT) to gather information about the business relationships and partnerships of the victim organization. By identifying key suppliers, vendors, and business partners, attackers can tailor their BEC schemes to exploit existing relationships, increasing the likelihood of success [31].

   2. Identify Roles (T1591.004): This technique involves identifying key individuals within the victim organization, particularly those in executive or financial roles [31]. By targeting decision-makers and personnel responsible for financial transactions, TA can focus their efforts on individuals likely to yield significant financial returns.

3. Brute Force (T1110): The attackers can use credentials acquired from different sources to test their validity and gain access to accounts.

   1. Credential Stuffing (T1110.004): In this technique, TA leverage compromised credentials obtained from recent data breaches or botnet databases to attempt unauthorized access to the victim organization’s infrastructure [13]. Unlike other selection criteria, credential stuffing indiscriminately targets organizations based on the availability of credentials, highlighting the pervasive nature of this threat vector in BEC incidents.

B. Resource Development (TA0042)

Resource Development is the phase where TA invest time and effort into establishing the necessary infrastructure and capabilities to execute fraudulent activities effectively. This tactic encompasses a range of techniques aimed at acquiring, accessing, and developing resources essential for orchestrating BEC frauds [15]. The following techniques are commonly observed within the Resource Development tactic:

1. Acquire Infrastructure (T1583): This technique involves acquiring various infrastructure components crucial for executing impersonation attacks. Sub-techniques include:

   1. Domain (T1583.001): TA register counterfeit or typo-squatted domains to mimic legitimate entities, facilitating email impersonation and deception [15].

   2. Server (T1583.004): Attackers procure servers dedicated to sending and receiving fraudulent emails, enabling the orchestration of BEC campaigns [32].

   3. Botnet (T1583.005): TA may acquire access to a botnet to obtain stolen credentials indexed in the database or to utilize infected devices as the origin for sending their fraudulent emails [13].

   4. Web Services (T1583.006): Attackers acquire and create illegitimate web pages containing fraudulent content designed to deceive users and elicit sensitive information. These pages may be utilized in subsequent phishing campaigns to trick users into divulging credentials or one-time passwords (OTPs) for 2FA authentication [8].

2. Acquire Access (T1650):This technique involves obtaining unauthorized access to email servers or accounts, often through the purchase of access credentials from Initial Access Brokers (IAB) [13].

3. Establish Accounts (T1585): Attackers create accounts on various services to support their malicious activities. Sub-techniques include:

   1. Email Accounts (T1585.002): TA may register email addresses through cloud mail service providers to impersonate legitimate entities. This sub-technique involves creating deceptive email addresses, often exploiting variations or alterations of legitimate domains [3].

4. Compromise Accounts (T1586): TA compromise accounts, typically through social engineering or credential theft, to facilitate their BEC campaigns. Sub-techniques include:

   1. Social Media Accounts (T1586.001): Attackers may compromise social media accounts to gather intelligence, execute lateral movement within the target organization, or employ social engineering tactics [33].

   2. Email Accounts (T1586.002): TA may compromise email accounts of organizations or individuals to launch phishing campaigns [34].

5. Develop Capabilities (T1587): This technique involves the development of customized tools and capabilities tailored to the specific requirements of BEC frauds. Sub-techniques include:

   1. Malware (T1587.001): TA develop malware, such as stealers, to harvest credentials, session tokens, or other sensitive information from compromised systems. This malware may also target mobile devices to bypass two-factor authentication (2FA) mechanisms [3].

6. Stage Capabilities (T1608): Attackers leverage acquired capabilities to enhance their operations within the compromised environment. Sub-techniques include:

   1. Link Target (T1608.005): Prior to executing a phishing attack, adversaries must establish the resources necessary for the malicious link, which could include creating a webpage or setting up a server to host malicious content [8].

C. Initial Access (TA0001)

Initial Access encompasses techniques aimed at obtaining unauthorized access to victims’ email accounts or mail servers, serving as a pivotal first step in the BEC attack lifecycle. The following techniques are commonly employed by TA to gain initial access:

1. Exploit Public-Facing Mail Servers (T1190): TA exploit vulnerabilities or misconfigurations in public-facing mail servers to gain unauthorized access and infiltrate targeted mailboxes [30].

2. Valid Accounts (T1078): Attackers utilize valid accounts obtained through various means, including IAB, data leaks, malware stealer or botnets, to access user accounts [13]. Sub-techniques include:

   1. Domain Accounts (T1078.002): TA leverage domain accounts synchronized with mail services to gain access to user mailboxes.

   2. Cloud Accounts (T1078.004): Attackers utilize accounts associated with cloud email services to gain unauthorized access to user accounts.

3. Phishing (T1566): TA employ phishing techniques to deceive victims and obtain access to their accounts. Sub-techniques include [24]:

   1. Spearphishing Attachment (T1566.001): Attackers send emails with malicious attachments designed to steal credentials or tokens upon execution.

   2. Spearphishing Link (T1566.002): Attackers send emails containing deceptive links that prompt users to enter their credentials or one-time passwords (OTPs) for 2FA authentication.

   3. Spearphishing via Service (T1566.003): TA use third-party channels, such as social media, to distribute malicious links or attachments.

   4. Spearphishing Voice (T1566.004): Attackers deceive victims via phone calls to obtain credentials or intrude into communications [35].

4. Trusted Relationship (T1199): TA leverage the existing trust relationships among contacts of a compromised account, vendors, or clients to compromise other accounts through phishing attacks [31]. Additionally, if the compromised account has delegated permissions to other tenants, the attacker can access information from the other organization.

5. Alternate Authentication Material (T1550): Attackers leverage alternative authentication methods to gain access to victim accounts. Sub-techniques include:

   1. Application Access Tokens (T1550.001) or Steal Application Access Token (T1528): Attackers exploit delegated permissions granted to applications using tokens to gain control of mailboxes [36].

   2. Web Session Cookie (T1550.004) or Steal Web Session Cookie (T1539): TA obtain session tokens or cookies through malware or malicious websites to gain control of user accounts [37], [38].

6. Brute Force (T1110): TA conduct brute-force attacks to gain unauthorized access to accounts lacking two-factor authentication (2FA) [39]. Sub-techniques include:

   1. Password Guessing (T1110.001): Attackers attempt access using multiple passwords against a single account.

   2. Password Spraying (T1110.003): Attackers use a list of passwords against multiple accounts.

   3. Credential Stuffing (T1110.004): Attackers use leaked credentials for access attempts.

D. Persistence (TA0003)

Persistence involves the perpetrator’s efforts to maintain access to the targeted email account for as long as possible, ensuring continued exploitation and deception. In addition to leveraging techniques used for initial access, TA employ various persistence techniques, including:

1. Account Manipulation (T1098): TA manipulate compromised accounts to continue receiving pertinent emails even after losing direct access. Sub-techniques include:

   1. Email Forwarding Rule (T1114.003): By creating email forwarding rules within the victim’s mailbox, TA redirect specific emails meeting predefined criteria to a controlled account [9], [15]. These rules may also conceal compromised communications.

   2. Additional Email Delegate Permissions (T1098.002): TA modify the permissions of folders in a victim’s mailbox to make their contents readable by another user in the victim’s tenant [40].

   3. Additional Cloud Roles (T1098.003): TA add additional roles or permissions to a compromised account, gaining administrative privileges, access to other accounts, or creating new accounts [41].

   4. Device Registration (T1098.005): TA configure new multifactor authentication mechanisms to log in without arousing suspicion [42].

2. Alternate Authentication Material (T1550): To circumvent repeated login attempts using credentials, TA leverage alternative authentication methods, often capable of bypassing 2FA. Sub-techniques include:

   1. Application Access Tokens (T1550.001): Attackers utilize delegated permissions granted to applications via tokens to maintain control of compromised mailboxes [43].

   2. Web Session Cookie (T1550.004): TA leverage session cookies to sustain control of an account, avoiding the need for repeated credential-based logins [44].

3. Modify Authentication Process (T1556): Attackers manipulate the authentication settings of a compromised account to ensure continued access and persistence. Sub-techniques include:

   1. Multi-Factor Authentication (T1556.006): TA may disable or modify multifactor authentication to sustain persistence in the account [45], [46].

4. Adversary-in-the-Middle (T1557): TA employ the Mail-In-The-Middle technique to maintain persistence by impersonating both parties in email communications, typically using counterfeit accounts created during the Resource Development phase. Sub-techniques include:

   1. Reply-To Field (T1557.XX): Attackers modify the “Reply-To” field in emails, redirecting replies to a different account under their control when recipients respond [6].

   2. Mail Thread Export (T1557.XX): TA export targeted email threads from the legitimate account and import them into a controlled mailbox, ensuring continued access to compromised communications [47], [48].

E. Defense Evasion (TA0005)

Defense Evasion involves tactics aimed at circumventing detection and forensic investigation systems, enabling TA to maintain covert access and evade scrutiny. Within this tactic, TA employ various sub-techniques, including:

1. Impersonation (T1656): Attackers impersonate the legitimate owners of compromised accounts to avoid detection and carry out fraud without raising suspicion [23].

2. Indicator Removal (T1070): TA remove indicators of compromise from within the compromised mailbox. Sub-techniques include:

   1. Clear Mailbox Data (T1070.008): Attackers delete phishing emails, compromised threads, metadata, and other compromising data [49]. With administrative access, they may also delete existing logs to cover their tracks.

   2. Clear Persistence (T1070.009): Attackers eliminate persistence mechanisms such as configured 2FA devices or forwarding and mailbox rules within the compromised mailbox to avoid detection [50].

3. Hide Artifacts (T1564): TA may undertake actions within the account to hide evidence of compromise or ongoing activities. Sub-techniques include:

   1. Email Hiding Rules (T1564.008): Attackers create rules within the mailbox to conceal responses to threads of interest or compromised threads by moving emails to a less common folder, preventing the legitimate user from identifying the fraud in a timely manner [50].

4. Subvert Trust Controls (T1553): To evade email system protection mechanisms, TA employ techniques to obtain more trustworthy infrastructure [4], [5], [23], [51]. Sub-techniques include:

   1. Trustful IP Provider (T1553.XX): TA utilize VPN services or hosting providers with IP addresses geolocated in reputable or trusted countries to avoid detection by SPAM filters or reputation-based blocking mechanisms used by mail service providers or infrastructure security teams. These IP addresses help attackers bypass initial scrutiny based on geographic or IP reputation.

   2. Set Authentication Protocols (SPF, DKIM, DMARC) (T1553.XX): TAs configure SPF, DKIM, and DMARC authentication protocols on counterfeit domains they control. By properly setting up these protocols, they can make malicious emails appear legitimate, effectively bypassing the victim’s email security measures designed to detect spoofing or phishing attempts.

   3. Trustful Mail Providers (T1553.XX): Attackers leverage reputable email providers with strong infrastructure, such as Gmail, Outlook, or ProtonMail, to send malicious emails. By using these trusted services, they overcome victims’ protection measures, as emails from these providers are less likely to be flagged or blocked by security systems.

F. Discovery (TA0007)

Discovery involves the process of identifying valuable accounts, such as administrative, executive, or financial department accounts, which could serve the attacker’s objectives. It also includes locating financial-related communications or files. This tactic includes the following techniques:

1. Account Discovery (T1087): By leveraging available accesses and information contained within the compromised account and the organization’s configuration, attackers gather information about existing accounts. Sub-techniques include:

   1. Email Accounts (T1087.003): Attackers seek to obtain a list of email addresses present in the mailbox or contacts of the compromised account [25].

   2. Cloud Accounts (T1087.004): Attackers search for potentially relevant cloud service accounts associated with email that could be useful [52].

2. Cloud Storage Object Discovery (T1619): Attackers search for documents stored in cloud services, such as OneDrive or Google Drive, to identify email accounts of interest [53].

G. Privilege Escalation (TA0004) / Lateral Movement (TA0006) / Credential Access (TA0008)

Once target accounts within the infrastructure are identified, the Threat Actor (TA) may employ various techniques to obtain credentials, move laterally, and escalate privileges to execute the fraud [6]. In the context of BEC frauds, the tactics of Credential Access (TA0008), Privilege Escalation (TA0004), and Lateral Movement (TA0006) are consolidated into a single phase, as the overarching goal is to gain access to an account with higher privileges or decision-making authority over financial transactions. While these tactics are clearly defined and distinct in other types of incidents, such as network intrusions or ransomware attacks, BEC frauds do not exhibit techniques that are exclusive to each of these phases. Instead, the techniques used during this stage are aligned toward the unified objective of gaining control over key accounts. Therefore, it is unnecessary to interpret these tactics independently, and only the techniques specific to this combined activity are presented below.

1. Unsecured Credentials (T1552): Attackers search various sources for traces of shared credentials to gain access to other accounts. This technique includes the sub-technique:

   1. Chat Messages (T1552.008): TA may search for credentials shared in messaging chats accessible from the initially compromised account [41].

2. Internal Spearphishing (T1534): TA can use compromised accounts to launch phishing attacks against other accounts within the domain, bypassing security mechanisms and exploiting the trust they engender [34].

H. Collection (TA0009)

The Collection tactic involves gathering information of interest to be used in subsequent fraudulent activities by the threat actor. This tactic comprises the following techniques:

1. Data from Cloud Storage (T1530): Attackers identify key documents such as invoices, orders, or bank payments in document repositories to orchestrate fraud schemes [53].

2. Email Collection (T1114): This technique involves searching for email threads of interest that can be intercepted by the attacker. Sub-techniques include:

   1. Remote Email Collection (T1114.002): Attackers conduct keyword searches in the inbox or download entire mailboxes to collect crucial emails [53].

   2. Email Forwarding Rule (T1114.003): Attackers create forwarding rules that automatically redirect emails meeting specific criteria, such as keywords or specific recipients, enabling them to identify emails of interest for potential fraudulent activities [9].

I. Exfiltration (TA0010)

While not the primary objective of a BEC attacker, there is the possibility that the attacker may exfiltrate information for use in the specific fraud or for subsequent fraudulent activities [54]. This tactic comprises the following techniques:

1. Exfiltration Over Web Service (T1567): The Threat Actor may utilize web access to directly download the desired information present in the mailbox [53]. Sub-techniques include:

   1. Exfiltration Over Webhook (T1567.004): Webhooks allow a server to push data over HTTP/S to a client without continuous polling by the client and can be exploited by attackers.

2. Data from Cloud Storage (T1530): Attackers may exfiltrate data stored in the cloud for use in subsequent frauds or targeting other victims.

3. Exfiltration Over Alternative Protocol (T1048): Various IaaS and SaaS platforms, such as Microsoft Exchange, Microsoft SharePoint, or Google Workspace, support direct downloading of files, emails, source code, and other sensitive information via the web console or Cloud API.

J. Impact (TA0040)

The Impact tactic represents the final step for the attacker, marking the culmination of the compromise. This tactic comprises the following techniques:

1. Data Manipulation (T1565): Attackers manipulate information contained in emails or repositories, such as text or attachments, to divert payments in their favor. This technique includes the following sub-technique:

   1. Transmitted Data Manipulation (T1565.002): The attacker alters the information transmitted to another party in the transaction, usually modifying bank account numbers [23].

2. Financial Theft (T1657): Attackers aim to orchestrate a financial transaction benefiting themselves, which may involve bank transfers or alternative methods such as gift cards [6].

A. Case Study: Applying the Framework to Characterize Cosmic Lynx

In this subsection, we demonstrate an example of applying the matrix developed from our research to characterize a real-world TA. Cosmic Lynx, a Russian-based cybercriminal group, provides a relevant case for this analysis. Operating since 2019, Cosmic Lynx has been notable for its highly sophisticated BEC operations, targeting multinational organizations and high-level executives involved in financial decisions. The following characterization is based on insights from Agari Data, Inc. [55], Robert Scammell [56], and Lindsey O’Donnell [57].

The characterization was achieved by extracting the TTPs of Cosmic Lynx from CTI reports and mapping them into the matrix developed through our research. This mapping provides a structured framework for attributing incidents to specific TAs and aids in the analysis of their operational methods. By systematically aligning Cosmic Lynx’s observed behaviors with our framework, we demonstrate how this approach enhances the attribution process, guides incident analysis, and supports the development of mitigation strategies.

Cosmic Lynx’s TTPs align closely with the MITRE ATT&CK framework, specifically as adapted for BEC frauds as a result of this research. Below, we map their observed TTPs to our framework, illustrating the group’s comprehensive approach across several phases. A graphical representation of this characterization, with identified techniques and sub-techniques highlighted in green, can be seen in Figure 3, which can be found at the end of this section.

1. Reconnaissance (TA0043):

   1. Victim Organization Information (T1591):

      1. Business Relationships (T1591.002) and Identify Roles (T1591.004): Cosmic Lynx performs targeted reconnaissance to understand the business relationships and key personnel within target organizations, particularly identifying individuals with financial authority.

2. Resource Development (TA0042):

   1. Acquire Infrastructure (T1583):

      1. Domain (T1583.001), Server (T1583.004), and Web Services (T1583.006): The group registers domains and configures servers to mimic secure email systems, such as “secure-mail-gateway[.]cc,” establishing trust for future communications.

   2. Acquire Access (T1650): TA may acquire compromised accounts from IAB to gain unauthorized entry into the victim’s infrastructure.

   3. Establish Accounts (T1585): They create and maintain fake email accounts, representing high-ranking corporate figures to facilitate impersonation in their phishing campaigns.

   4. Compromise Accounts (T1586) and Email Accounts (T1586.002): Compromised email accounts are used to further reinforce the legitimacy of their interactions with targeted victims.

   5. Develop Capabilities (T1587) and Malware (T1587.001): Cosmic Lynx embedded malware in phishing emails sent from compromised accounts to infiltrate and infect the victim’s network.

3. Initial Access (TA0001):

   1. Valid Accounts (T1078):

      1. Domain Accounts (T1078.002) and Cloud Accounts (T1078.004): Access to both domain and cloud accounts is obtained through phishing, enabling the group to infiltrate internal communications.

   2. Phishing (T1566):

      1. Spearphishing Attachment (T1566.001) and Spearphishing Link (T1566.002): Customized phishing emails include attachments or links that align with the victim’s business operations, such as merger and acquisition scenarios.

   3. Trusted Relationship (T1199): By impersonating trusted executives and legal representatives, Cosmic Lynx leverages established trust relationships to manipulate victims effectively.

4. Persistence (TA0003):

   1. Adversary-in-the-Middle (T1557):

      1. Reply-To Field (T1557.XX): The group modifies the “Reply-To” field in emails to redirect responses to their own infrastructure, bypassing genuine executives.

5. Defense Evasion (TA0005):

   1. Impersonation (T1656): Cosmic Lynx impersonates trusted entities, such as high-ranking executives or legal representatives, to build credibility and deceive victims, enhancing the effectiveness of their phishing campaigns.

   2. Subvert Trust Controls (T1553):

      1. Trustful IP Provider (T1553.XX), Set Authentication Protocols (SPF, DKIM, DMARC) (T1553.XX), and Trustful Mail Providers (T1553.XX): Cosmic Lynx leverages trusted IP addresses or mail service providers and configures DMARC protocol on their spoofed domains to bypass email filtering and avoid detection by spam filters.

6. Discovery (TA0007):

   1. Account Discovery (T1087):

      1. Email Accounts (T1087.003): Once inside the network, the group investigates email account structures to identify key communication flows and financial personnel, ensuring timely interception of transactions.

7. Privilege Escalation (TA0004) / Lateral Movement (TA0006) / Credential Access (TA0008):

   1. Internal Spearphishing (T1534): Cosmic Lynx utilizes internal spear-phishing to further compromise accounts within the organization, maintaining control over critical financial communications.

8. Impact (TA0040):

   1. Data Manipulation (T1565.002) and Financial Theft (T1657): The group manipulates invoice details, altering payment instructions to divert funds to mule accounts located in jurisdictions less likely to arouse suspicion, such as Hong Kong.

FIGURE 3.

Cosmic Lynx BEC TA TTPs MITRE ATT&CK matrix.

Show All

B. Case Study: Applying the Framework to Characterize Chiffon Herring

In this subsection, we demonstrate another application of the matrix developed from our research to characterize a real-world TA known as Chiffon Herring. Unlike large-scale actors such as Cosmic Lynx, Chiffon Herring operates with a focus on simpler BEC schemes, targeting organizations through payroll diversion and other financially motivated scams. Despite their less complex approach, the group effectively utilizes techniques that exploit trust and evade detection. The following characterization is based on insights from Abnormal Security Intelligence [58].

The characterization was achieved by extracting the TTPs of Chiffon Herring from CTI reports and mapping them into the matrix developed through our research. This mapping highlights the utility of the proposed techniques, including the newly introduced sub-techniques such as “Reply-To Field (T1557.XX)” and those under “Subvert Trust Controls (T1553).” These sub-techniques are critical for understanding how attackers impersonate legitimate communications without triggering alerts and establish persistence within email threat communications. In the following, we map the observed TTPs of Chiffon Herring to our framework, demonstrating their approach in multiple attack phases, with a graphical representation provided in Figure 4, appearing towards the end of this section.

1. Reconnaissance (TA0043):

   1. Victim Organization Information (T1591):

      1. Business Relationships (T1591.002) and Identify Roles (T1591.004): Chiffon Herring identifies key personnel involved in financial operations and maps organizational relationships to guide their attack strategy.

2. Resource Development (TA0042):

   1. Acquire Infrastructure (T1583):

      1. Domain (T1583.001): The group registers domains resembling legitimate organizations or financial services to lend credibility to their phishing emails.

   2. Establish Accounts (T1585):

      1. Email Accounts (T1585.002): Fake email accounts are created to impersonate key figures, such as financial officers, enhancing the success rate of their phishing campaigns.

3. Persistence (TA0003):

   1. Adversary-in-the-Middle (T1557):

      1. Reply-To Field (T1557.XX): Chiffon Herring modifies the “Reply-To” field in phishing emails to redirect responses to their own infrastructure, ensuring control over victim communications.

4. Defense Evasion (TA0005):

   1. Impersonation (T1656): The group impersonates trusted organizational figures or financial partners to increase the likelihood of successful scams.

   2. Subvert Trust Controls (T1553):

      1. Trustful IP Provider (T1553.XX): They use IP addresses from reputable regions to evade detection by security systems.

      2. Set Authentication Protocols (SPF, DKIM, DMARC) (T1553.XX): Authentication protocols are configured on spoofed domains to enhance their legitimacy.

      3. Trustful Mail Providers (T1553.XX): Reputable email providers are employed to ensure email delivery and avoid suspicion.

5. Impact (TA0040):

   1. Financial Theft (T1657): Chiffon Herring alters financial information to redirect payments to accounts they control, successfully defrauding organizations of significant sums.

FIGURE 4.

Chiffon herring BEC TA TTPs MITRE ATT&CK matrix.

Show All

The case studies of Cosmic Lynx and Chiffon Herring underscore the value of applying our refined BEC-specific MITRE ATT&CK matrix to characterize TAs operating at different scales and levels of sophistication. The distinct matrices generated for each TA highlight the differences in their operational methodologies, reinforcing the matrix’s role in attack attribution. For Cosmic Lynx, a highly organized and sophisticated group targeting multinational organizations and high-level executives, the matrix provides a standardized approach to mapping their complex tactics, techniques, and sub-techniques as derived from real-world CTI reports. This standardization facilitates the attribution of incidents and enables researchers to correlate TTP matrices across different groups, potentially uncovering connections between TAs operating under different given names by researchers. Conversely, the characterization of Chiffon Herring, a smaller-scale TA focused on simpler schemes such as payroll diversion, highlights the matrix’s versatility in guiding investigations of less sophisticated but equally impactful threats. Understanding the specific techniques employed by both TAs allows organizations to prioritize defensive measures, such as implementing targeted monitoring and applying preventative actions tailored to the scale and objectives of the adversary. These case studies demonstrate how the matrix not only enhances the organization and analysis of diverse threat behaviors but also serves as a practical tool for proactive defense strategies across a spectrum of adversaries.