The Rise of Email Marketing Platforms for Business Email Compromise Attacks

In a statistical report published in September 2024 by the Federal Bureau of Investigation (FBI), it was revealed that more than US$55 billion was lost to business email compromise (BEC) attacks between October 2013 and December 2023. This profitability drives attackers to further their techniques and adapt to security filters.

BEC is a highly sophisticated and researched scam that aims to bait a specific type of employee or department in a company. However, it is not uncommon for attackers to send spam waves targeting multiple employees and companies in one attack. To facilitate this, fraudsters are now employing email marketing platforms in their BEC campaigns.

BEC Spam Sources

Spam emails can come from different sources and sent through different channels. Shown below is the breakdown of email senders by platform type for around 12,000 MailMarshal submissions for 2024.

1. Webmail Providers
   Also known as mail service providers, these services provide email hosting for individuals and businesses. They handle sending, receiving, and storing emails for end users. This includes free and paid services such as Gmail, Yahoo, iCloud, and Yandex.
2. Web Hosting and Cloud Services
   There are certain web hosting companies that also provide email hosting services. They allow users to create and host new domains and subsequently, create an email address with those domains. Users can manage their website and mailbox through the same provider. Examples include Hostinger and Dynadot.
3. Email Marketing Platforms
   Also known as mass mailers or bulk mailers, these are tools that allow individuals or businesses to create, send, and manage email campaigns in bulk to engage with their audience or reach new potential customers. SendGrid, Mailjet and Mailgun are currently some of the more widely used mass mailers.
4. Software Suite
   A software suite is a collection of two or more software applications bundled and sold together. These programs have related functionalities and/or similar themes. Some of them contain email clients in the bundle. The most popular example is Microsoft 365, another brand is Open-Xchange.

Figure 1. Breakdown of email sources for 2024 MailMarshal submissions

Early cases of CEO impersonation from the mid-2010s utilized free-to-use webmail providers in their attacks. This remains the most preferred method of spam delivery by cyber attackers, accounting for the vast majority of submissions. Google or Gmail is the most used mail service provider by spammers to this day.

Other sources are present as well, but not as prominent as free email services. However, we did see an uptick in the usage of email marketing or mass mailers in 2024. Its large-scale delivery of emails that can target a global audience has been an advantage for marketers and fraudsters alike.

Advantages of Using Email Marketing for Spam Delivery

• Bulk-sending Feature
  Spammers can upload their extensive list of targeted email addresses into their chosen platform/s to send malicious emails in bulk. These platforms have a global reach, so targeting a certain demographic or region is easier.

• Automation and Customization
  Many platforms support email automation and scheduling, allowing spammers to blast spam messages with minimal effort. Another feature that can be exploited is API integration, which fraudsters can customize and employ in their own scripts for crafting and sending spam.

• Spam-evasion Techniques
  Staying up to date with spam filters is an important aspect of email marketing campaigns. Marketers want to reach as many clients and prospects as possible and they don’t want their emails to be detected. To help lessen the number of junked emails, mass mailer companies provide guides to users on how to craft email campaigns that could evade spam filters. Fraudsters can employ these tips and tricks to ensure that their actual spam emails pass through security checking.

Depending on the amount and type of data the fraudsters have, they can simply plug in the email recipients and names or brands of impersonated entities into the email content and headers. Partner this with the reliable and efficient bulk-sending capabilities of email marketing platforms, and we have a spam campaign that’s tailored to bait each victim, even if it the list is in hundreds or thousands.

Abused Email Marketing Platforms

The majority of the BEC spam sent using mass mailers use multi-persona impersonation (MPI), where attackers are disguised as two or more entities. Often, they are disguised as a company executive or a representative from a third-party supplier. While the email varies based on the supplier or brand impersonated, they all commonly use the invoice transaction lure. This refers to BEC messages where a supposed overdue invoice needs to be paid as soon as possible. It often comes in the form of an email thread, as if these entities are conversing with each other. However, the entire thread is fabricated to create a sense of legitimacy to the urgent payment request.

In this section, we will highlight and discuss specific mass mailers often used and the spam waves that they deliver.

Mailjet

Mailjet is a cloud-based email marketing tool for creating, sending, and tracking transactional emails and marketing campaigns. Its robust APIs allow ease of use and reliable delivery. It’s no wonder it became a popular tool, not just for blasting benign newsletters and graymails, but also for spam.

Our example is a fake invoice email impersonating the company’s CEO and an accountant from a social media platform. The first email coming from the accountant appears to be a legitimate notification, containing a specific invoice number. It also mentioned that the payment details are in an attached PDF, but this document is not present.

The second email coming from the CEO instructs the victim to pay via ACH. They also said future invoices from the supplier will be sent directly to the victim, indicating that this is not a one-time attack and will be continuous if the attackers succeed in fooling the victim.

Figure 2. An example of a BEC email sent via Mailjet

The header shows that the "From" address contains a compromised domain, and the "Reply-to" address was newly created and registered the same day this spam mail was sent. The domain used by the accountant in the thread is not registered at the time of writing.

Figure 3. Email header details

We can also see in the "Message-ID" that it was sent through the Mailjet platform. Toward the end of the header portion, the platform-specific X-headers are present. X-MJ-Mid uniquely identifies the email within Mailjet's platform. A portion of the header value is also present in the Message-ID.

Figure 4. Mailjet X-headers

SendGrid

Fake invoice BEC attacks are not limited to using newborn domains. We also observed freemail addresses being used as a sender. These emails were sent not via the free webmail service but through the SendGrid infrastructure.

SendGrid (a.k.a. Twilio SendGrid) is a customer communication platform for managing transactional and marketing emails. It handles the backend processes involved in sending emails, such as ISP monitoring and domain keys. This cloud platform is well-known and widely used, with more than 148 billion emails sent every month.

This fake invoice transaction campaign uses two different email addresses in the "From" and "Reply-To" fields, Gmail and Outlook, respectively. Both email addresses obviously don’t belong to the impersonated executive in the attack.

Figure 5. Header information showing the Gmail address and SendGrid Message ID

The header also contains the X-SG-EID and X-SG-ID fields. The former is an identifier of the email address used to send the message, whereas the latter is a broader identifier associated with the SendGrid user.

Figure 6. SendGrid X-headers

This attack targeted companies from multiple regions, including the US, UK, and Germany. We observed email samples written in English and German, matching the language spoken by the target recipients. The subject line also includes the name of the impersonated executive of the company, which shows that each email is tailored to the target.

Figure 7. BEC campaign as seen on MailMarshal

Despite the varying email addresses used in the "From" field, we can verify that these spam emails came from a single sender due to the presence of the identical X-Entity-ID header. This X-header is used in APIs to uniquely identify a specific user or object.

Figure 8. SendGrid X-header

Mailgun

Mailgun is a transactional email service provider used to send, receive, and track emails easily, and is specifically designed to cater to software developers. It provides APIs that can be integrated into applications and systems for automated transactional and marketing emails. Mailgun supports various languages such as Python, Ruby, Java, and C.

The scalability and ease of integration allow for effective email blasting, whether it be ham, graymail, or spam.

We identified a spam campaign that impersonated a peer advisory group for CEOs and is asking for payment for a leadership development program.

Just like the previous examples, the initial part of the email is the supposed accountant reminding the executive about the outstanding payment for the program membership. However, in the second email, the executive directs the accountant to contact the target employee via email. The latest entry in the thread shows the accountant “forwarding” this exchange to the target and setting an end-of-day (EOD) deadline. This puts pressure on the target recipient to accomplish the payment transaction as quickly as possible. The approach is quite different, as previous examples show the executive forwarding the unpaid invoice.

Figure 9. A BEC email sent via Mailgun

Analyzing the header, we can see the domain used in the "Sender" and "From" fields is a legitimate but compromised domain. The "Reply-To" domain was created on November 26, 2024 — the day before this spam email was sent to the recipients. Neither domains belong to the target company nor the supplier.

Another item to note is the blank CC field. Typically, when left blank, this field is removed by email clients. But for this campaign, the "To" address already contains the target email address. So, it is most likely that the script used to blast these emails did not bother to clear out the CC field.

Figure 10. The peculiar email header of our BEC email sample

These are the X-headers stamped by Mailgun: X-Mailgun-Sending-Ip contains an IP address owned by the user that was used to send the email. So far, we have noted three IP addresses. Mailgun also features IP Pools where users can group IPs depending on their usage. If an IP Pool ID is provided, the email is sent using the IP that belongs to that pool. But in our example, it was not specified. X-Mailgun-Sid is another custom field that serves as a message identifier.

Figure 11. Mailgun X-headers

Usage of Multiple Mass Mailers for a BEC Campaign

There are instances wherein a BEC attack uses multiple mass mailers to target as many companies as possible. The mass mailer used also changes over time to evade detection.

We have another example below where the impersonated supplier is a popular data broker company. In the first part of the email, an accountant from the supplier is directly contacting the company CEO for an outstanding payment. This reminder is then “forwarded” by the fraudsters to the target victim, now disguised as the company executive.

Figure 12. BEC email impersonating a CEO and ZoomInfo

Inspecting the header, we immediately see that the "From" and "Reply-to" addresses aren’t company-owned domains. The "From" address is a compromised or spoofed account whereas the "Reply-to" address is a domain that is less than a year old. If the recipient replies, the email will be sent to the "Reply-to" address.

Another point is this attack directly targeted the accounting departments of companies, as we can see in the "To" address.

Figure 13. Email header showing the targeted company’s accounting department

This campaign was observed during the second week of September 2024 and is still active at the time of writing. The email marketing platform used has changed over the months, along with the "From" address and the "Subject" line. The "Subjects" all contain the prefix "FW" (Forward) and "RE" (which could mean "Regarding" or "Reply"). The former indicates the email has been forwarded to the recipient and the latter means that the current email is a reply to a specific previous email. These two Subject prefixes are used to add to the illusion that there is an actual email exchange between the executive and supplier.

The lure, the impersonated accountant, and the third-party supplier remained the same.

Here are some of the mass mailers used and their X-headers

Mailjet:

Figure 14. Mailjet X-header

SendGrid:

Figure 15. SendGrid X-header

Mandrill, a transactional API of MailChimp:

Figure 16. Mandrill X-header

Conclusion

In summary, we observed multiple BEC spam mail sources or senders throughout 2024, and the vast majority of the submissions came from mailbox providers such as Gmail. However, there is a steady increase in the usage of email marketing platforms such as Mailjet, SendGrid, and Mailgun. This tactic allows cyber attackers to exploit the reputation of mass mailer platforms and deliver their malicious messages to numerous target recipients. The main feature of sending emails in bulk capacity is advantageous for spammers looking to catch as many victims as possible. Other features, including automation and API integration, allow them to customize their emails and blast them with minimal effort.

It is no wonder that email marketing platforms have become a part of fraudsters’ arsenal. We expect to see more BEC and other types of malicious emails being sent using mass mailers.

As always, we remind everyone to stay safe and vigilant against suspicious and unsolicited emails, even if they look like they came from your boss.