Jet Mariano

How BEC (Business Email Compromise) and EAC (Email Account Compromise) Work, and How Proofpoint + EAC Controls Stop Them

Written by

jetnmariano

in

Introduction

BEC (Business Email Compromise) and EAC (Email Account Compromise) are the two most financially damaging email-based attacks today.
They bypass traditional spam filters, they target humans—not firewalls—and they abuse trust instead of malware.

Microsoft 365 alone cannot fully protect against these attacks.
That’s why organizations use Proofpoint, DMARC alignment, and strict authentication controls—to verify identity, stop impostors, and prevent fraudulent requests from reaching inboxes.

This blog explains:

  • How BEC works
  • How EAC happens
  • What attackers exploit
  • Why RFC email standards make impersonation easy
  • How Proofpoint + EAC controls shut these attacks down

Perfect material for any advanced interview panel.

What Is Business Email Compromise (BEC)?

BEC is when attackers pretend to be:

  • your CEO,
  • your CFO,
  • your HR director,
  • a vendor,
  • or someone with financial authority

…with the goal of manipulating employees into:

  • wiring money
  • changing direct deposit info
  • sending W-2s
  • releasing confidential documents
  • approving purchases

🔸 The key point:

BEC uses identity deception, not malware.
No attachments.
No links.
Just social engineering in a clean email.

How BEC Works (Step-By-Step)

1. Reconnaissance

Attackers scrape:

  • LinkedIn
  • Company directory leaks
  • Press releases
  • Vendor invoices
  • Social media

They map who communicates with whom.

2. Identity Impersonation

They spoof:

  • Display names
  • Envelope sender
  • Reply-To address
  • SPF-valid lookalike domains

Example:
[email protected]
[email protected]

3. Thread Hijacking

They do this by compromising a vendor mailbox and replying inside an existing email chain.

4. Social Engineering

The attacker sends a “clean” request:

  • “Are you available?”
  • “I need this wire sent ASAP.”
  • “Can you update this banking information?”

5. Financial Fraud

Once the attacker has the employee’s trust — the money is gone.

What Is Email Account Compromise (EAC)?

EAC is when the attacker actually logs in to a real mailbox.

Not spoofing.
Not faking.
Real access.

How they gain access:

  • MFA fatigue
  • Password reuse
  • Legacy protocol with no MFA
  • OAuth token theft
  • Malware stealing credentials
  • Phishing pages identical to Microsoft login

Once inside, attackers:

  • Set up hidden forwarding rules
  • Delete MFA alerts
  • Change mailbox rules
  • Hijack vendor threads
  • Sit silently and wait for financial conversations

EAC is dangerous because the attacker uses your real domain, your real mailbox reputation, your real account.

This is why simply having SPF, DKIM, and DMARC does not stop EAC.

Why Proofpoint Is Needed (Beyond RFC Email Standards)

RFC email standards allow spoofing by design.

Attackers can:

  • abuse SMTP commands
  • spoof the “MAIL FROM”
  • spoof the “From:” header
  • use free SMTP servers
  • harvest SPF/DKIM values via nslookup
  • build near-perfect domain clones

Example:

nslookup -type=txt _dmarc.victim-domain.com
nslookup -type=txt selector._domainkey.victim-domain.com

Attackers see your exact SPF/DKIM configuration.
They spoof accordingly.

This is why relying on RFC standards alone is not enough.

How Proofpoint Stops BEC and EAC

1. Identity Protection

Proofpoint checks:

  • display name anomalies
  • domain lookalikes
  • impossible travel
  • VIP impersonation attempts
  • internal vs external identity mapping
  • “Reply-To mismatch”
  • “Header vs Envelope mismatch”

Microsoft EOP can do part of this,
Proofpoint does it with far more accuracy.

2. Vendor Fraud Protection

Proofpoint fingerprints:

  • vendor sending behavior
  • previous conversation style
  • writing style
  • IP reputation

If a vendor mailbox is compromised, Proofpoint detects the “change in sending personality.”

This is one of the strongest EAC protections in the industry.

3. DMARC Enforcement + Lookalike Domain Defense

Proofpoint enforces:

  • Domain alignment
  • Display name behavior
  • Header-from authentication
  • Cross-identity matching

Lookalike domains” examples (generic only):

  • company-secure.com
  • companny.com
  • c0mpany-support.com
  • company-mailservice.com

These would pass traditional email filters.

4. URL and Payload Isolation

Even if links look clean, Proofpoint re-writes and detonates them.

Although BEC rarely has links, EAC-based phishing almost always does.

5. Machine Learning on Human Behavior

Proofpoint analyzes:

  • who talks to whom
  • frequency
  • direction
  • urgency phrases
  • tone manipulation

If the CEO normally never emails accounting at 10:30 PM on a Friday — the message gets flagged.

Real-World Example (Anonymized)

A vendor’s mailbox was compromised.
The attacker replied inside an existing thread asking to update bank account numbers.

Microsoft EOP didn’t block it — it came from a legitimate vendor domain.

Proofpoint flagged:

  • anomalous IP
  • unusual writing style
  • “conversation thread hijacking detected”
  • vendor identity risk score

Proofpoint blocked the message before it reached the user’s mailbox.

This is exactly why companies invest in Proofpoint.

Conclusion

BEC and EAC are no longer “IT problems.”
They are financial crimes, costing billions worldwide.

Microsoft 365 gives strong baseline protection,
but attackers today use identity manipulation, social engineering, and thread hijacking that bypass traditional signals.

Proofpoint closes those gaps with:

  • identity defense
  • behavioral AI
  • vendor fraud detection
  • DMARC enforcement
  • mailbox compromise detection
  • impersonation protection

© 2012–2025 Jet Mariano. All rights reserved.
For usage terms, please see the Legal Disclaimer.

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *

More posts

error: Content is protected !!