Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

Payload-less BEC in public sector procurement: are controls keeping up?


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 12212
Topic starter  

TL;DR: Public sector procurement and finance teams are facing a BEC pattern that uses impersonation, lookalike domains, Reply-To manipulation, and AI-generated content to evade payload-centric defenses, with Proofpoint citing 40% of attacks using AI-generated content and BEC accounting for 73% of reported cyber incidents in 2024. Static detection is no longer enough when the attack is the conversation itself.

NHIMG editorial — based on content published by Proofpoint: analysis of a payload-less BEC campaign targeting public sector procurement teams

By the numbers:

Questions worth separating out

Q: How should security teams detect business email compromise without relying on payloads?

A: They should use behavioural signals such as sender history, thread context, request timing, and relationship baselines.

Q: Why do traditional email security tools miss payload-less BEC attacks?

A: Traditional tools are built to detect malware, links, and known infrastructure.

Q: How do security teams know whether BEC controls are actually working?

A: Look for fewer successful fraudulent approvals, faster reporting of suspicious requests, and lower dependence on email content alone for decision-making.

Practitioner guidance

  • Strengthen sender and reply-chain verification Correlate display name, sending domain, Reply-To header, and recent domain registration age before allowing procurement mail to reach users who can move money or approve suppliers.
  • Add behavioural risk scoring for clean-content email Use relationship history, sender rarity, and organisational context to score messages that contain no malware or links but request sensitive business actions.
  • Require out-of-band payment validation Mandate callback verification for bank detail changes, quote requests, and supplier onboarding updates using a known contact method outside the email thread.

What's in the full article

Proofpoint's full blog covers the operational detail this post intentionally leaves for the source:

  • The exact header and domain signals used to score the lookalike message as BEC, including the From and Reply-To mismatch.
  • The relationship-graph and threat-intelligence logic behind the block decision, which shows how contextual email analysis works in practice.
  • The content-analysis indicators tied to the agency’s PDF tagging behaviour, useful for teams tuning deeper inspection.
  • The campaign history and actor tracking details that show why prior intelligence mattered to detection.

👉 Read Proofpoint's analysis of payload-less BEC in public sector procurement →

Payload-less BEC in public sector procurement: are controls keeping up?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 11787
 

Payload-less BEC exposes a design false negative in email security: many controls are still built to detect malicious code, not fraudulent intent. When the message is the attack and there is no payload, organisations are left with a blind spot that signature-based tooling cannot close. Practitioners should treat this as a workflow assurance problem, not just an email filtering problem.

A question worth separating out:

Q: Who is accountable when a BEC request is sent through a trusted business workflow?

A: Accountability sits with the organisation that owns the approval path, not just the email gateway. Security, finance, procurement, and internal control owners all share responsibility for making sure payment changes, supplier updates, and contract actions require independent validation beyond the email thread.

👉 Read our full editorial: Payload-less BEC is slipping past static defenses in public sector email



   
ReplyQuote
Share: