Files
Anthropic-Cybersecurity-Skills/skills/detecting-business-email-compromise/SKILL.md
T
mukul975 efca3ec611 feat: add NIST CSF 2.0 nist_csf field to all 754 cybersecurity skills
Mapped every skill to NIST CSF 2.0 subcategory IDs (GV/ID/PR/DE/RS/RC functions)
based on subdomain and content analysis. Restores 11 skills corrupted during
prior rebase, re-enriching with ATLAS, D3FEND, NIST AI RMF, and CSF 2.0 fields.

All 754 skills now carry structured mappings for all 5 security frameworks:
- MITRE ATT&CK (in tags)
- MITRE ATLAS v5.5 (atlas_techniques)
- MITRE D3FEND v1.3 (d3fend_techniques)
- NIST AI RMF 1.0 (nist_ai_rmf)
- NIST CSF 2.0 (nist_csf)
2026-04-06 11:17:40 +02:00

4.1 KiB

name, description, domain, subdomain, tags, version, author, license, atlas_techniques, nist_ai_rmf, d3fend_techniques, nist_csf
name description domain subdomain tags version author license atlas_techniques nist_ai_rmf d3fend_techniques nist_csf
detecting-business-email-compromise Business Email Compromise (BEC) is a sophisticated fraud scheme where attackers impersonate executives, vendors, or trusted partners to trick employees into transferring funds, sharing sensitive data, cybersecurity phishing-defense
phishing
email-security
social-engineering
dmarc
awareness
bec
fraud
1.0 mahipal Apache-2.0
AML.T0052
AML.T0088
GOVERN-6.2
MAP-5.2
Restore Object
Restore Configuration
Application Configuration Hardening
Application Hardening
Disable Remote Access
PR.AT-01
DE.CM-09
RS.CO-02
DE.AE-02

Detecting Business Email Compromise

Overview

Business Email Compromise (BEC) is a sophisticated fraud scheme where attackers impersonate executives, vendors, or trusted partners to trick employees into transferring funds, sharing sensitive data, or changing payment details. Unlike traditional phishing, BEC often contains no malicious links or attachments, relying purely on social engineering. This skill covers detection techniques using email gateway rules, behavioral analytics, and financial process controls.

When to Use

  • When investigating security incidents that require detecting business email compromise
  • When building detection rules or threat hunting queries for this domain
  • When SOC analysts need structured procedures for this analysis type
  • When validating security monitoring coverage for related attack techniques

Prerequisites

  • Email security gateway with BEC detection capabilities
  • Understanding of organizational financial processes and approval chains
  • Access to email logs and SIEM platform
  • Knowledge of social engineering tactics

Key Concepts

BEC Attack Types (FBI IC3 Classification)

  1. CEO Fraud: Attacker impersonates CEO, requests urgent wire transfer
  2. Account Compromise: Employee email compromised, used to request payments from vendors
  3. False Invoice Scheme: Fake invoices from "vendor" with changed bank details
  4. Attorney Impersonation: Impersonates legal counsel for urgent confidential transfers
  5. Data Theft: Requests W-2, tax forms, or PII from HR

Detection Indicators

  • Urgency and secrecy language ("confidential", "do not discuss with others")
  • New or changed payment instructions
  • Executive communication outside normal patterns
  • Display name matches executive but email domain differs
  • Reply-to address differs from From address
  • First-time communication pattern between sender and recipient
  • Request for gift cards or cryptocurrency

Workflow

Step 1: Configure BEC-Specific Email Rules

  • Flag emails with VIP display names from external domains
  • Detect financial keywords combined with urgency language
  • Alert on first-time sender to finance/accounting staff
  • Check for Reply-To domain mismatch

Step 2: Deploy Behavioral Analytics

  • Baseline normal communication patterns per user
  • Detect anomalous requests (unusual recipient, unusual time, unusual request type)
  • Monitor for email forwarding rule changes (T1114.003)

Step 3: Implement Financial Controls

  • Dual-authorization for wire transfers above threshold
  • Out-of-band verification for payment detail changes (phone callback)
  • Vendor payment change verification process
  • Finance team training on BEC red flags

Step 4: Monitor for Account Compromise

  • Detect impossible travel in email login locations
  • Alert on email forwarding rule creation
  • Monitor for mailbox delegation changes
  • Check for inbox rules hiding BEC-related emails

Tools & Resources

  • Microsoft Defender for O365 Anti-BEC: Built-in BEC detection
  • Proofpoint Email Fraud Defense: BEC-specific solution
  • Abnormal Security: AI-driven BEC detection
  • FBI IC3 BEC Advisory: https://www.ic3.gov/
  • FinCEN BEC Advisory: Financial institution guidance

Validation

  • BEC detection rules trigger on test scenarios
  • Financial controls prevent unauthorized transfers in drills
  • Account compromise detection catches simulated attacks
  • Reduced BEC susceptibility in awareness assessments