From Reactive to Proactive: Using AI to Hunt BEC in Real Time

Business Email Compromise (BEC) attacks are notoriously hard to catch. Along with the next wave of AI-crafted phishing emails, these fall in the “uncatchable” category because they offer no giveaway clues for traditional solutions to spot.

No malware signatures, no malicious attachments, no bad links to sandbox. Only convincing, highly personal rhetoric, employees still aren’t savvy enough to catch. And with AI creating the scams, who can blame them?

In these cases, SOCs are reduced to the tedium of chasing down alerts, which only trigger after bad behavior has been identified due to a successful BEC scam. In the age of AI, is this the best we can come up with?

No. AI is just as powerful for defenders as it is for adversaries. And nowhere is that more apparent than in hunting BEC in real time. Using an AI SOC analyst platform, teams can transition from reactive to proactive approaches.

The Current Reactive Way to Catch BEC

Spotting a BEC scam requires the work of some highly skilled SOCs. As AI improves, it becomes harder to trust employees to do it.

The Odds Are Against Human Detection

AI is now responsible for creating 40% of all BEC emails, and those emails are more convincing than ever. Reuters (News - Alert) just partnered with Harvard researcher Fred Heiding to leverage major AI chatbots to craft social engineering scams specifically for seniors; unsurprisingly, it worked, despite initial programming that insisted otherwise. “You can always bypass these things,” Heiding noted.

With BEC scams easily created by even non-malicious AI models, it’s easy to see the odds are stacked against unwitting users. Hence, alerts are left to notify most SOCs when these scams appear.

Playing the Alert Game

SOCs must finely tune their environments to catch BEC attacks in their net. This looks like:

• Creating allowlists of trusted domains and triggering alerts when near-matches appear.
• Alerts when new mailbox rules are created (like one that diverts all emails containing “invoice” to an outside address).
• Alerts when logins occur from suspicious places or at unusual times.

These SIEM alerts denote low-level indicators of potentially correlated malicious activity. SOCs still have to do the manual work of correlating the notifications, eliminating duplicates and false positives, and investigating the trails to their natural end.

This reactive form of BEC sleuthing is the modus operandi for many, if not most, organizations. Even sophisticated incident response tools only correlate this at scale, but as BEC attackers are counting on, these are not the only indicators of compromise.

The Ones That Get Away

In cases of account takeover, when a threat actor has used pilfered credentials to send BEC emails as an employee (unnoticed), the only things giving away those attacks are the clues within the message itself.

And, as most users and a host of unfortunate senior citizens know, those can be incredibly hard to catch.

Enter: AI SOC platforms.

Proactively Identifying BEC Patterns Using AI

AI can be used to get ahead of these tell-tale BEC signs, instead of constantly playing catch-up.

This means spotting malicious patterns in the act and aggregating that information to save SOCs the time of having to do it themselves. This additional element – speed - is integral for turning a reactive response into a proactive approach.

For example,

• AI can scan the language of the email for workflow workarounds. Does the request break established protocols (like authenticating new customers before paying their invoices)? As AI SOC platform company Prophet Security notes, “BEC attacks frequently exploit weaknesses or gaps in business workflows.”
• Does the syntax of the sender match their typical tone? BEC scammers impersonate executives to add weight to their demands. Using AI, teams can detect whether the current message matches their known communication style.
• Are there verbal clues like “immediate action” or “pay now”? These can indicate the sender’s intent (in this case, a push for urgency), which LLMs can pick up.

Other technical patterns include all the ones included above (anomalies in location, time sent, domain, etc.); only AI-infused tools can catch those in real-time. Human analysts, on the other hand, would have to rely on finding those alerts.

It’s been cited that 62% of alerts get ignored by SOCs that just can’t keep up. Some of those are bound to be BEC-related. Understandably, 71% of practitioners are worried about missing something important under a flurry of notifications, and human teams just can’t be trusted to do it all at scale.

It’s not because they’re incapable of correctly following up on red flags; it’s simply because those flags come too hard and fast for any human team to keep up.

This leaves SOCs to play reactive Whack-a-Mole security when better tools could collect all the data they need and leave nothing to chance.

The Power of Autonomous, AI SOC Platform Response

In an AI SOC, the normal day-to-day functions of a security operations center are mimicked, only with more accuracy and at scale. Think L1 and L2 investigations:

• Gathering data (alerts, logs)
• Correlating it (with internal telemetry and external threat data)
• Deduplicating and eliminating false positives

Then, an AI SOC platform will take all that information and perform actual investigations, providing analyzed, prioritized next steps, and even doing basic remediations:

• Revoking active sessions
• Addressing CVEs
• Resetting secrets
• Removing administrator privileges
• And more

Learning from “what worked” and what didn’t, the platform will leverage its ML capabilities to get better as it goes. This means refining its ability to spot malicious BEC language patterns and doubling down on malicious domains that have appeared in BEC contexts.

It means choosing the remediation workflows that have worked in the past, and it means otherwise making the investigation and response pathway flow more smoothly.

Conclusion

As human teams reach their investigative limits, AI SOC analyst platforms pick up where they leave off. Instead of leaving practitioners to put together the BEC clues (and probably leaving out a lot), AI SOC platforms don’t make mistakes, get tired, or lose accuracy with time. They detect malicious patterns and piece that telemetry together in real-time.

In other words, they don’t miss essential BEC giveaways because they’re not stuck hunting down (or missing) alerts.

About the author:
An ardent believer in personal data privacy and the technology behind it, Katrina Thompson is a freelance writer leaning into encryption, data privacy legislation, and the intersection of information technology and human rights. She has written for Bora, Venafi, Tripwire (News - Alert), and many other sites.