Microsoft has posted a blog discussing a shift in business email compromise (BEC) tactics towards the use of residential IP addresses in order to make threat actors’ emails more convincing to victims. By acquiring a residential IP address alongside account credentials from the victim, criminals can make it more difficult for network defenders to track malicious activities. For example, this tactic is notably effective in confounding detection for “impossible logins.” The article notes the observed popularity of this tactic for Asian and Eastern European threat actors and identifies specific services that BEC threat actors utilize.
In order to counter BEC, Microsoft recommends organizations set up multifactor authentication for inboxes, set up flags for messages from external addresses, and increase employee training, among other policies. Read more at Microsoft.