BEC Isn't an Email Problem. It's a Supply Chain.

Business Email Compromise gets filed under "phishing" the way SQL injection gets filed under "web bugs." Technically true. Wildly incomplete.

The FBI's IC3 has BEC sitting at the top of the financial-loss charts for years now, with reported losses past $50 billion globally since 2013. That number doesn't come from clever Nigerian-prince emails. It comes from a working criminal supply chain.

Look at the underground forums and the shape of the operation gets clear fast.

Stage one: access. Initial Access Brokers sell credentials to corporate mailboxes by the bundle. Microsoft 365 and Google Workspace tenants go for double or triple the price of consumer accounts, because the buyer already knows what they want to do with them. A lot of that inventory comes from infostealer logs — Redline, Lumma, StealC — dumped into Telegram channels and forum threads. Session cookies are the prize. They sidestep MFA the same way a stolen JWT sidesteps a login form.

Stage two: reconnaissance. Once inside, the attacker doesn't blast the org. They read. Invoice threads, vendor relationships, the CFO's travel schedule, who signs off on wire transfers under what threshold. Forum posts openly trade tips on which industries pay fastest and which banks question large transfers least. This is the part defenders consistently underweight. It's not a technical exploit; it's patience.

Stage three: the pivot. Two common plays. Either the attacker spins up a lookalike domain (rnellow.com vs. mellow.com) and injects themselves into an existing invoice thread, or they send from the real compromised mailbox and quietly add an Outlook rule that routes replies to RSS Feeds or Archive. Classic.

Stage four: cash-out. Money mules, crypto off-ramps, and a rotating set of "drop" bank accounts. Forums advertise mule networks the way SaaS vendors advertise uptime.

So what actually helps?

• Treat infostealer infections as identity incidents, not malware incidents. If a corporate cookie hit a log, that session is burned. Revoke it.
• Monitor for lookalike domain registrations against your own brand and your top vendors. CT logs are free.
• Out-of-band verification for any payment instruction change. A phone call to a known number. Not a reply to the email.
• Hunt for malicious inbox rules. Microsoft's own Defender for Office 365 surfaces these, and so does a five-line Graph API script.

None of this is novel. It's hygiene, applied to the right layer. BEC keeps working because organizations defend the inbox and ignore the supply chain feeding it.

The attackers figured that out a decade ago. The forums are not subtle about it.