The Threat Taxonomy: A Working Framework to Describe Cyber Attacks

The Threat Taxonomy and BEC Attacks

BEC attacks were virtually unknown a few years ago, but have since risen to become one of the most prominent email-based threats — the FBI estimates these attacks are responsible for more than $26 billion in exposed dollar losses over the last five years. This dramatic rise can be explained from several perspectives. One is that it is a targeted attack, meaning that the volume is low and the individual variation is relatively high, making the use of methods based on blacklisting largely irrelevant. This means that traditional security technologies simply don’t apply, leaving most mail systems vulnerable — which means, in turn, that the malicious emails will be delivered.

Taxonomy of a BEC Attack

The Threat Taxonomy and ATO Attacks

While the account takeover-based attack is relatively uncommon, it is increasing dramatically in commonality due to its abilities to circumvent all traditional countermeasures, whether the technique is used to infiltrate victim organizations, plant ransomware, or steal sensitive data. This is because if the criminal uses compromised accounts as launchpads to attack the contacts of the users whose accounts were compromised, the intended victims receive emails from people they have interacted with in the past.

Taxonomy of an Account Takeover-Based Attack

Using the Threat Taxonomy

In conclusion, there are many different email-based attacks. Their similarities and differences are best understood by breaking down the nature of the attacks, which can be done using the taxonomy we describe above. We have shown how to describe two important attacks using this taxonomy — BEC attacks and ATO attacks. These, of course, are just two examples. As cybercrime continues to grow, we’ll uncover new ways that criminals use email to target their victims, and continue to update this taxonomy.



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store


Agari is the Trusted Email Identity Company™, protecting companies and people from phishing and socially-engineered email attacks.