Connect with us

Hi, what are you looking for?


Email Security

Microsoft: BEC Scammers Use Residential IPs to Evade Detection

BEC scammers use residential IP addresses in attacks to make them seem locally generated and evade detection.

Cybercriminals are using residential IP addresses in business email compromise (BEC) attacks to make them seem locally generated and evade detection, Microsoft says.

The number of reported BEC attacks is constantly increasing, with the Federal Bureau of Investigation (FBI) receiving close to 22,000 BEC complaints in 2022 (PDF), with losses totaling over $2.7 billion.

As part of a BEC attack, cybercriminals use compromised or spoofed email addresses to send fraudulent requests for wire transfers to employees in charge of making or authorizing payments. The fraudsters request payments to be made to bank accounts they control.

One of the latest tactics that BEC scammers have adopted involves the purchase from residential IP services of IPs matching the location of their victim, which allows them to mask the origin of their login attempts.

“Armed with localized address space to support their malicious activities in addition to usernames and passwords, BEC attackers can obscure movements, circumvent ‘impossible travel’ flags, and open a gateway to conduct further attacks,” Microsoft explains.

The ‘impossible travel’ detection flags physical restrictions when a task is performed at two locations in a shorter amount of time than that required to travel from one location to the other.

“Residential IP addresses mapped to locations at scale provide the ability and opportunity for cybercriminals to gather large volumes of compromised credentials and access accounts. Threat actors are using IP/proxy services that marketers and others may use for research to scale these attacks,” Microsoft notes.

Advertisement. Scroll to continue reading.

The tech giant has observed BEC scammers in Asia and an Eastern European country frequently using this tactic.

The threat actors use phishing-as-a-service offerings to obtain login credentials, including BulletProftLink, which uses Internet Computer public blockchain nodes for the hosting of phishing and BEC sites, making takedown more difficult.

Organizations are advised to set specific email rules to block messages from outside parties, to implement strong authentication methods, train employees to spot fraudulent emails, use secure email solutions, and implement domain-based message authentication, reporting, and conformance (DMARC) policies to protect against spoofed emails.

“Threat actors’ BEC attempts can take many forms – including phone calls, text messages, emails, or social media messages. Spoofing authentication request messages and impersonating individuals and companies are also common tactics,” Microsoft notes.

Related: FBI: Losses From BEC Scams Surpass $43 Billion

Related: Nigerian BEC Scammer Sentenced to Prison in US

Related: FBI: 65 People Arrested Worldwide in BEC Bust

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content

Cloud Security

Microsoft and Proofpoint are warning organizations that use cloud services about a recent consent phishing attack that abused Microsoft’s ‘verified publisher’ status.

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Application Security

Password management firm LastPass says the hackers behind an August data breach stole a massive stash of customer data, including password vault data that...

Application Security

Microsoft on Tuesday pushed a major Windows update to address a security feature bypass already exploited in global ransomware attacks.The operating system update, released...


A digital ad fraud scheme dubbed "VastFlux" spoofed over 1,700 apps and peaked at 12 billion ad requests per day before being shut down.

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...


Pig Butchering, also known as Sha Zhu Pan and CryptoRom, is an ugly name for an ugly scam.