“without building a soc from scratch. the bottom line bec hasn ’ t disappeared. it ' s matured. attackers now exploit identity infrastructure embedded inside google workspace to operate stealthily, persist longer, and move laterally across cloud environments. email is simply the e…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1078.004Cloud Accounts
74%
“. modern identity detection platforms focus on exactly this type of behavior correlation, linking mailbox changes, authentication patterns, and anomalous access into a single investigative signal rather than isolated alerts. outbound abuse scales the attack once inside, attackers…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1098.002Additional Email Delegate Permissions
64%
“- persistence – forwarding rules, oauth tokens, alternate access paths each stage compounds the damage and makes remediation more difficult. gmail as a lateral movement engine attackers increasingly use compromised gmail accounts to pivot into other saas platforms by abusing : - …”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1078.004Cloud Accounts
54%
“why bec is now an identity problem business email compromise ( bec ) isn ’ t new. but the way attackers execute it today looks radically different than it did even a few years ago. what used to be simple invoice fraud and credential phishing has evolved into multi - stage identit…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1078.004Cloud Accounts
53%
“alerts - static rules but modern bec often : - uses legitimate authentication flows - avoids malware entirely - exploits platform - native features - blends into normal administrative activity - spans multiple systems and timelines single - signal detections miss multi - stage ca…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1586.002Email Accounts
45%
“- persistence – forwarding rules, oauth tokens, alternate access paths each stage compounds the damage and makes remediation more difficult. gmail as a lateral movement engine attackers increasingly use compromised gmail accounts to pivot into other saas platforms by abusing : - …”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1525Implant Internal Image
44%
“alerts - static rules but modern bec often : - uses legitimate authentication flows - avoids malware entirely - exploits platform - native features - blends into normal administrative activity - spans multiple systems and timelines single - signal detections miss multi - stage ca…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
Summary
Modern BEC attacks now abuse Google Workspace identities. Discover why BEC is an identity problem, and learn how to secure your organization against these threats.