以下为本文档的中文说明Detecting Business Email Compromise 是一个专注于检测商务电子邮件欺诈BEC的专业安全技能。BEC 是一种复杂的欺诈手段攻击者冒充高管、供应商或可信合作伙伴诱骗员工转账资金、泄露敏感数据或更改付款信息。与传统网络钓鱼不同BEC 通常不包含恶意链接或附件纯粹依赖社会工程学手段。该技能涵盖的检测技术包括邮件网关规则配置、行为分析技术以及财务流程控制机制。使用场景涵盖安全事件调查中需要检测 BEC 时、构建该领域的检测规则或威胁狩猎查询时、安全运营中心SOC分析师需要结构化的分析流程时以及验证安全控制有效性时。该技能的独特价值在于它处理的是一种利用人类信任而非技术漏洞的攻击方式。它融合了技术检测邮件头分析、发件人认证验证、异常模式识别和流程控制双重确认机制、异常交易审核两个维度。对于企业的安全团队而言该技能提供了一套系统的 BEC 检测方法论能够有效降低这类高危害性欺诈的成功率。它还涵盖了检测规则的构建、威胁狩猎查询的编写规则和验证方法。该技能也提供了员工安全意识培训的指导建议帮助组织从技术和管理两个层面构建针对 BEC 的纵深防御体系最大程度降低因社会工程攻击造成的财务损失。Detecting Business Email CompromiseOverviewBusiness Email Compromise (BEC) is a sophisticated fraud scheme where attackers impersonate executives, vendors, or trusted partners to trick employees into transferring funds, sharing sensitive data, or changing payment details. Unlike traditional phishing, BEC often contains no malicious links or attachments, relying purely on social engineering. This skill covers detection techniques using email gateway rules, behavioral analytics, and financial process controls.When to UseWhen investigating security incidents that require detecting business email compromiseWhen building detection rules or threat hunting queries for this domainWhen SOC analysts need structured procedures for this analysis typeWhen validating security monitoring coverage for related attack techniquesPrerequisitesEmail security gateway with BEC detection capabilitiesUnderstanding of organizational financial processes and approval chainsAccess to email logs and SIEM platformKnowledge of social engineering tacticsKey ConceptsBEC Attack Types (FBI IC3 Classification)CEO Fraud: Attacker impersonates CEO, requests urgent wire transferAccount Compromise: Employee email compromised, used to request payments from vendorsFalse Invoice Scheme: Fake invoices from “vendor” with changed bank detailsAttorney Impersonation: Impersonates legal counsel for urgent confidential transfersData Theft: Requests W-2, tax forms, or PII from HRDetection IndicatorsUrgency and secrecy language (“confidential”, “do not discuss with others”)New or changed payment instructionsExecutive communication outside normal patternsDisplay name matches executive but email domain differsReply-to address differs from From addressFirst-time communication pattern between sender and recipientRequest for gift cards or cryptocurrencyWorkflowStep 1: Configure BEC-Specific Email RulesFlag emails with VIP display names from external domainsDetect financial keywords combined with urgency languageAlert on first-time sender to finance/accounting staffCheck for Reply-To domain mismatchStep 2: Deploy Behavioral AnalyticsBaseline normal communication patterns per userDetect anomalous requests (unusual recipient, unusual time, unusual request type)Monitor for email forwarding rule changes (T1114.003)Step 3: Implement Financial ControlsDual-authorization for wire transfers above thresholdOut-of-band verification for payment detail changes (phone callback)Vendor payment change verification processFinance team training on BEC red flagsStep 4: Monitor for Account CompromiseDetect impossible travel in email login locationsAlert on email forwarding rule creationMonitor for mailbox delegation changesCheck for inbox rules hiding BEC-related emailsTools ResourcesMicrosoft Defender for O365 Anti-BEC: Built-in BEC detectionProofpoint Email Fraud Defense: BEC-specific solutionAbnormal Security: AI-driven BEC detectionFBI IC3 BEC Advisory: https://www.ic3.gov/FinCEN BEC Advisory: Financial institution guidanceValidationBEC detection rules trigger on test scenariosFinancial controls prevent unauthorized transfers in drillsAccount compromise detection catches simulated attacksReduced BEC susceptibility in awareness assessments