Shield protect

PSAT Use Case: How One Trained User Helped Stop a Massive BEC Campaign Targeting U.S. Government Agencies 

Share with your network!

In late September 2023, an unattributed business email compromise (BEC) actor sent thousands of highly targeted messages to at least 100 customers across Proofpoint. The attacker targeted individuals who had connections to the U.S. Department of Defense.  

The intended victims of the BEC campaign worked in functions such as business development, sales and procurement. The attacker likely wanted to take advantage of increased procurement activity at the end of the fiscal year. 

Fortunately, a trained and security-aware employee caught the threat and reported it. That helped to protect hundreds of federal customers across the landscape.  

In this blog, we’ll examine what exactly happened so that you can see how consistent training and awareness about threats likely to target your users can protect your business—and hundreds of others like it. 

The timeline—before, during and after the attack 

Here’s a closer look at the details surrounding this BEC incident: 

Pre-attack: 

Before the attack, end users underwent consistent security awareness and training. The training was designed to educate employees on BEC and other government themed lures, which were most likely to be seen by employees who were at risk. One of the key components of the training had been the sharing of Threat Intelligence to all employees via weekly newsletters and bi-weekly webinars. 

During the attack: 

  • In mid-September, a U.S. government-affiliated employee was the first to receive the BEC threat. 
  • This user recognized the threat—even though the attacker had not targeted them before—because it looked like one they’d seen in past that had focused on government bids and proposals.  
  • The user then alerted security to the threat using the Report Phish button in their email client.  

Post-attack: 

  • Detection systems were updated in response to this employee’s quick action. 
  • Proofpoint blocked, alerted and pulled messages from hundreds of Proofpoint customers. 
  • Proofpoint account and threat intelligence teams also notified dozens of other government entities that were not our customers to help protect the larger federal sector. 

Follow-on attacks 

After the first attack, the threat actor continued with the same tactics using a different email address.  

Meanwhile, Proofpoint continued to send out alerts about this BEC threat to our customers and government partners. As a result, the threat was blocked across hundreds of Proofpoint customers and thousands of malicious messages were stopped from reaching users’ inboxes.  

What we know about this threat 

BEC attackers are often very strategic in their efforts to trick their intended targets. In this case, we know that the user was never targeted by this bad actor before. Additionally, we learned that: 

  • The attacker spoofed a legitimate government user and proposal process. (The attacker spoofed the email address of a Federal Emergency Management Agency employee.) 
  • The email was sent two weeks before the end of the U.S. government fiscal year; this is a time of high stress and high tempo throughout all government organizations and contractors. 
  • The message contained no misspellings or other red flags signaling it might be a BEC attempt. 

This incident underscores the value of consistent threat intelligence and user training and awareness. The swift action of one informed user helped Proofpoint to protect our customers from this BEC attack, as well as many other businesses and users. 

Learn more 

To learn about Proofpoint Security Awareness, see these resources. 

Download this data sheet to find out more about Proofpoint Threat Intelligence Services.  

And visit this page on the Proofpoint website to get details about our federal solutions.