Microsoft: BEC Attackers Evade 'Impossible Travel' Flags With Residential IP Addresses


Level 15
Thread author
Top Poster
Mar 13, 2022
Attackers have found a new way to avoid detection in business email compromise (BEC) and account takeover attacks by buying locally generated IP addresses to mask the origin of their login attempts, thus circumventing the common "impossible travel" security detection, Microsoft is warning.

An impossible travel flag occurs when a task is performed at two locations in a shorter amount of time than would be required to travel from one location to the other — for instance, if Employee A always logs on from Boston at 9 a.m., then a login attempt an hour later from Singapore would raise a red flag. However, masking the actual origin IP address from which a malicious task is coming provides "the ability and opportunity for cybercriminals to gather large volumes of compromised credentials and access accounts" from anywhere, Microsoft researchers wrote in a blog post.

Threat actors are using a combination of platforms such as BulletProftLink, a service for creating industrial-scale malicious email campaigns, and residential IP services to help them evade the flag, Microsoft Security researchers revealed.

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.