Jet Mariano

Tag: EOP

  • How BEC (Business Email Compromise) and EAC (Email Account Compromise) Work, and How Proofpoint + EAC Controls Stop Them

    Introduction

    BEC (Business Email Compromise) and EAC (Email Account Compromise) are the two most financially damaging email-based attacks today.
    They bypass traditional spam filters, they target humans—not firewalls—and they abuse trust instead of malware.

    Microsoft 365 alone cannot fully protect against these attacks.
    That’s why organizations use Proofpoint, DMARC alignment, and strict authentication controls—to verify identity, stop impostors, and prevent fraudulent requests from reaching inboxes.

    This blog explains:

    • How BEC works
    • How EAC happens
    • What attackers exploit
    • Why RFC email standards make impersonation easy
    • How Proofpoint + EAC controls shut these attacks down

    Perfect material for any advanced interview panel.

    What Is Business Email Compromise (BEC)?

    BEC is when attackers pretend to be:

    • your CEO,
    • your CFO,
    • your HR director,
    • a vendor,
    • or someone with financial authority

    …with the goal of manipulating employees into:

    • wiring money
    • changing direct deposit info
    • sending W-2s
    • releasing confidential documents
    • approving purchases

    🔸 The key point:

    BEC uses identity deception, not malware.
    No attachments.
    No links.
    Just social engineering in a clean email.

    How BEC Works (Step-By-Step)

    1. Reconnaissance

    Attackers scrape:

    • LinkedIn
    • Company directory leaks
    • Press releases
    • Vendor invoices
    • Social media

    They map who communicates with whom.

    2. Identity Impersonation

    They spoof:

    • Display names
    • Envelope sender
    • Reply-To address
    • SPF-valid lookalike domains

    Example:
    [email protected]
    [email protected]

    3. Thread Hijacking

    They do this by compromising a vendor mailbox and replying inside an existing email chain.

    4. Social Engineering

    The attacker sends a “clean” request:

    • “Are you available?”
    • “I need this wire sent ASAP.”
    • “Can you update this banking information?”

    5. Financial Fraud

    Once the attacker has the employee’s trust — the money is gone.

    What Is Email Account Compromise (EAC)?

    EAC is when the attacker actually logs in to a real mailbox.

    Not spoofing.
    Not faking.
    Real access.

    How they gain access:

    • MFA fatigue
    • Password reuse
    • Legacy protocol with no MFA
    • OAuth token theft
    • Malware stealing credentials
    • Phishing pages identical to Microsoft login

    Once inside, attackers:

    • Set up hidden forwarding rules
    • Delete MFA alerts
    • Change mailbox rules
    • Hijack vendor threads
    • Sit silently and wait for financial conversations

    EAC is dangerous because the attacker uses your real domain, your real mailbox reputation, your real account.

    This is why simply having SPF, DKIM, and DMARC does not stop EAC.

    Why Proofpoint Is Needed (Beyond RFC Email Standards)

    RFC email standards allow spoofing by design.

    Attackers can:

    • abuse SMTP commands
    • spoof the “MAIL FROM”
    • spoof the “From:” header
    • use free SMTP servers
    • harvest SPF/DKIM values via nslookup
    • build near-perfect domain clones

    Example:

    nslookup -type=txt _dmarc.victim-domain.com
nslookup -type=txt selector._domainkey.victim-domain.com

    Attackers see your exact SPF/DKIM configuration.
    They spoof accordingly.

    This is why relying on RFC standards alone is not enough.

    How Proofpoint Stops BEC and EAC

    1. Identity Protection

    Proofpoint checks:

    • display name anomalies
    • domain lookalikes
    • impossible travel
    • VIP impersonation attempts
    • internal vs external identity mapping
    • “Reply-To mismatch”
    • “Header vs Envelope mismatch”

    Microsoft EOP can do part of this,
    Proofpoint does it with far more accuracy.

    2. Vendor Fraud Protection

    Proofpoint fingerprints:

    • vendor sending behavior
    • previous conversation style
    • writing style
    • IP reputation

    If a vendor mailbox is compromised, Proofpoint detects the “change in sending personality.”

    This is one of the strongest EAC protections in the industry.

    3. DMARC Enforcement + Lookalike Domain Defense

    Proofpoint enforces:

    • Domain alignment
    • Display name behavior
    • Header-from authentication
    • Cross-identity matching

    Lookalike domains” examples (generic only):

    • company-secure.com
    • companny.com
    • c0mpany-support.com
    • company-mailservice.com

    These would pass traditional email filters.

    4. URL and Payload Isolation

    Even if links look clean, Proofpoint re-writes and detonates them.

    Although BEC rarely has links, EAC-based phishing almost always does.

    5. Machine Learning on Human Behavior

    Proofpoint analyzes:

    • who talks to whom
    • frequency
    • direction
    • urgency phrases
    • tone manipulation

    If the CEO normally never emails accounting at 10:30 PM on a Friday — the message gets flagged.

    Real-World Example (Anonymized)

    A vendor’s mailbox was compromised.
    The attacker replied inside an existing thread asking to update bank account numbers.

    Microsoft EOP didn’t block it — it came from a legitimate vendor domain.

    Proofpoint flagged:

    • anomalous IP
    • unusual writing style
    • “conversation thread hijacking detected”
    • vendor identity risk score

    Proofpoint blocked the message before it reached the user’s mailbox.

    This is exactly why companies invest in Proofpoint.

    Conclusion

    BEC and EAC are no longer “IT problems.”
    They are financial crimes, costing billions worldwide.

    Microsoft 365 gives strong baseline protection,
    but attackers today use identity manipulation, social engineering, and thread hijacking that bypass traditional signals.

    Proofpoint closes those gaps with:

    • identity defense
    • behavioral AI
    • vendor fraud detection
    • DMARC enforcement
    • mailbox compromise detection
    • impersonation protection

    © 2012–2025 Jet Mariano. All rights reserved.
    For usage terms, please see the Legal Disclaimer.

  • Exchange Online Throttling Policies: Why They Exist, When to Modify Them, and How to Justify Changes

    Introduction

    Exchange Online throttling policies exist for one core reason — to keep the Microsoft 365 ecosystem healthy, stable, and resistant to abuse.
    Throttling protects the service from:

    • Excessive load
    • Misconfigured applications
    • Compromised accounts sending thousands of emails
    • Bulk operations that can degrade tenant performance

    It’s not a punishment.
    It’s Microsoft’s way of guaranteeing fairness across millions of tenants.

    But in real production environments — especially at the enterprise, hybrid, or application-integration level — default throttling limits can sometimes block legitimate business-critical operations.
    And when that happens, you must know:

    1. Why throttling exists
    2. How to detect throttling
    3. When it’s justified to modify limits
    4. How to request changes with Microsoft support

    This is one of the topics principal-level interviewers love because it shows deep operational understanding.

    Why Throttling Exists in Exchange Online

    Microsoft enforces throttling to prevent:

    1. Service Abuse

    A single compromised account can send 10,000+ spam emails within minutes.
    Throttling slows these bursts so EOP can react and block the session.

    2. Tenant Misconfigurations

    Common misconfigurations that trigger throttling:

    • Line-of-business apps sending too many messages too quickly
    • Applications reusing connections improperly
    • Legacy services using Basic Auth patterns
    • Scripts or PowerShell modules pulling data too fast

    3. System Stability

    If every tenant could push unlimited requests, the shared service collapses.
    Throttling ensures:

    • CPU fairness
    • Bandwidth fairness
    • Queue stability
    • Storage and transport efficiency

    How to Detect Throttling Events

    You will usually see:

    📌 Error Examples

    • Server Busy
    • Backoff due to throttling policy
    • TooManyConcurrentConnections
    • Exceeded message submission rate limit
    • SendAsDenied triggered by backlog saturation

    📌 Where You See These

    • Exchange message trace
    • Transport logs
    • Application logs
    • SMTP client logs
    • EOP reports
    • PowerShell scripts returning "ProcessingStopped"

    📌 Behavioral Symptoms

    • Messages stuck in Outbox
    • Applications retrying endlessly
    • High SMTP queue latency
    • Inconsistent delivery within seconds-to-minutes range

    When It Is Appropriate to Modify Exchange Online Throttling

    This is key.
    You never change throttling “because someone wants faster emails.”
    You change throttling for business justification only, such as:

    1. Application Mailbox Accounts

    These accounts often need higher:

    • MaxSendRate
    • RecipientRateLimit
    • MessageRateLimit

    Examples:

    • ERP systems
    • CRM systems
    • Manufacturing systems (Backflush, MES, D365)
    • Monitoring systems
    • Ticketing systems (ServiceNow, Jira, Zendesk)

    2. Hybrid Exchange Servers

    Hybrid servers may require adjusted:

    • PowerShell concurrency
    • EWS limits
    • MRS (Mailbox Replication Service) migration speeds

    Especially during:

    • Large cutovers
    • Fast-track migrations
    • Bulk mailbox moves

    3. Automated Services Needing High Burst Throughput

    Scenarios where default throttling causes issues:

    • Finance systems sending thousands of statements
    • HR systems sending open enrollment packets
    • Email marketing systems using authenticated SMTP
    • Daily reporting engines generating PDFs for hundreds of users

    How to Justify Throttling Changes to Microsoft Support

    This is where senior-level experience shows.

    Microsoft will not modify throttling unless you prove:

    1. Operational Need

    Explain what system is being blocked.

    2. Business Impact

    Show examples:

    • Delayed invoices
    • Delayed purchase orders
    • Delayed system alerts
    • Delayed manufacturing workflows

    3. Technical Evidence

    Provide logs showing:

    • Backoff errors
    • Submission rate failures
    • EWS throttling hits
    • Application retry loops

    4. Confirmation That It’s Not Spam

    Show the account is app credentialed, not user-driven.

    5. You Have Already Tuned the Application

    Microsoft wants evidence that:

    • Retry logic exists
    • Connection reuse is efficient
    • Burst sending is controlled

    If justified, Microsoft raises throttling for:

    Specific service accounts only
    (Never the whole tenant.)

    They may change:

    • Recipient rate limits
    • Message burst limits
    • EWS or Graph concurrency
    • PowerShell session limits

    Common Interview Question: “Why Not Remove Throttling Entirely?”

    Perfect answer:

    “Because throttling is part of Microsoft’s multi-tenant stability and security model.
    Without it, one tenant’s misconfiguration or compromised account could degrade the entire service.
    Changes should be scoped, justified, temporary, and monitored.”

    PowerShell: Checking Throttling Policy Assigned to a Mailbox

    Get-ThrottlingPolicyAssociation -Identity [email protected]

    PowerShell: View Existing Throttling Policies

    Get-ThrottlingPolicy | fl Name,MessageRateLimit,RecipientRateLimit

    PowerShell: Create a Dedicated Policy for an App Mailbox

    Set-ThrottlingPolicyAssociation -Identity [email protected] -ThrottlingPolicy AppMailboxPolicy

    Conclusion

    Throttling is not the enemy.
    It’s a guardrail.

    © 2012–2025 Jet Mariano. All rights reserved.
    For usage terms, please see the Legal Disclaimer.

error: Content is protected !!