The Söze Syndicate's Business Email Compromise: A Growing Threat for SMBs

The Söze Syndicate's Business Email Compromise: A Growing Threat for SMBs

In a newly uncovered campaign, a major cyber threat group, known as the Söze Syndicate, has emerged as a key player in the ongoing evolution of Business Email Compromise (BEC) attacks. The group has been exploiting security gaps in small and medium businesses (SMBs), leveraging sophisticated tactics like adversary-in-the-middle (AiTM) and account takeover (ATO) attacks to bypass even advanced defenses.

Throughout 2024, BEC-related incidents surged by a staggering 558%, according to the Todyl MXDR team, with the Söze Syndicate leading the charge. Unlike traditional malware-based attacks, this group relies heavily on exploiting human error, trust, and weak identity defenses. With many SMBs still lacking Identity Threat Detection and Response (ITDR) solutions, the group has been able to exploit these vulnerabilities with alarming precision.

One particularly insidious tactic involved the use of cloned servers and trusted proxy services like Cloudflare to disguise phishing lures, enabling the group to bypass security gateways and URL filters. By combining telemetry from Microsoft 365 and Azure, the Todyl team revealed a sprawling identity attack infrastructure spanning multiple ISPs across the U.S. and internationally—evidence of a well-funded and operationally mature group.

The syndicate has displayed high levels of patience, using a "low and slow" approach that makes detection difficult. The tactics often include session hijacking, the installation of rogue applications, and leveraging trusted internal services like SharePoint to carry out phishing attacks. The threat actors even employ various service providers for specific stages of their operations, switching between initial compromises, monitoring, and lateral movement within compromised systems.

In response to this growing threat, Todyl recommends enforcing multi-factor authentication (MFA), though it acknowledges that AiTM attacks can still bypass it. The team stresses the importance of ITDR, Secure Access Service Edge (SASE) solutions, and having a capable Managed Detection and Response (MDR) provider that can correlate identity activity across multiple platforms. This combination of advanced detection and visibility is crucial for early intervention, allowing organizations to revoke unauthorized access and prevent financial losses.

As BEC attacks continue to evolve, particularly with the involvement of sophisticated threat groups like the Söze Syndicate, SMBs must enhance their defenses to stay ahead. With a proactive approach that combines ITDR and intelligent monitoring solutions, the threat of BEC can be significantly mitigated, ensuring that businesses can navigate this challenging landscape with greater confidence.