Same VPNs, Same Registrars, Same Playbook
What Recent BEC Investigations Reveal About Attacker Infrastructure
Across recent Business Email Compromise investigations, we observed the same infrastructure, registrars, and automation tooling reused across unrelated victims. These patterns appeared consistently enough to be operationally useful for defenders, not as attribution signals but as early detection indicators.
Business email compromise remains one of the most financially damaging attack types facing organizations. According to the FBI 2024 Internet Crime Report, BEC accounted for over $55 billion in in fraud over the past 5 years (2020 – 2024).
This post documents repeatable patterns observed during real incident response work. The goal is educational. These indicators help defenders detect BEC activity earlier in the attack lifecycle, before payment redirection, data theft, or secondary targeting occurs.
VPN and Proxy Services Used by Threat Actors
One of the most immediate challenges in BEC investigations is attribution. Threat actors routinely route their activity through VPN and proxy services to obscure where the attacks originate from. In recent engagements, we’ve seen the same providers appear again and again:
- VPN services: ExpressVPN, NordVPN, Private Internet Access (PIA), HideMyAss, SonicWall VPN
- Proxy services: Oxylabs, BigMama Proxy, IPRoyal
These are widely used commercial services, which is why threat actors favor them. Most VPN providers let users select servers in specific cities or regions, meaning an attacker can route traffic through the same geographic area as the target organization’s office and bypass geofencing rules entirely. While attribution remains difficult, detection doesn’t need to be.
What to watch for:
Authentication events originating from known VPN/proxy IP ranges, especially when combined with unusual login times, impossible travel scenarios, or access to sensitive mailbox data shortly after initial authentication.
Domain Registrars Used for Brand Impersonation
Once access is obtained or while preparing for a phishing campaign, threat actors frequently register lookalike domains to impersonate an organization. These domains are used for credential harvesting, payment redirection, and downstream phishing of the victim’s contacts and clients.
The registrars we see most often in these campaigns include:
- Hostinger
- NameCheap, Inc.
- NameSilo, LLC
- Network Solutions LLC
- Tucows Domains Inc.
- Wild West Domains, LLC
- Squarespace Domains II LLC
The common factors are low cost, fast provisioning, and privacy-protected WHOIS records. Threat actors can stand up a convincing impersonation domain in minutes and maintain anonymity for the duration of their campaign.
What to watch for:
Newly registered domains that resemble your organization’s primary domain or key vendor domains, especially those using common typosquatting techniques like the examples below.
Common Typosquatting Techniques
Technique | Description | Legitimate Domain | Spoofed Example |
Character substitution | Swapping visually similar letters or numbers | acmebank.com | acrnebank.com ("rn" mimics "m") |
Double letter/character insertion | Adding an extra repeated letter or trailing "s" that readers tend to skip over | acmebank.com | acmeebank.com, acmebanks.com |
Hyphenation | Inserting hyphens to break up a brand name | acmebank.com | acme-bank.com |
TLD swap | Registering the same name under a different TLD | acmebank.com | acmebank.net, acmebank.org |
Subdomain spoofing | Placing the brand name as a subdomain of an unrelated domain | acmebank.com | acmebank.secure-login.com |
Vowel/character omission | Dropping a letter that many readers won’t notice | acmebank.com | acmebnk.com |
Character transposition | Swapping the order of adjacent letters | acmebank.com | acmebnak.com |
Keyword addition | Appending trust-signaling words to the brand | acmebank.com | acmebank-secure.com |
Combosquatting | Appending a related service or product term | acmebank.com | acmebankonline.com |
Threat actors often combine multiple techniques in a single domain to increase the chances of deceiving recipients, particularly in invoice fraud and credential harvesting scenarios.
Suspicious User-Agent Strings in Authentication Logs
One of the most consistent low level signals we observed involved User-Agent strings associated with programmatic access. Specifically, we’ve observed repeated appearances of axios library User-Agents during suspicious authentication and data access events matching the pattern: axios/1.* (versions observed in our investigations include 1.7.3, 1.7.5, 1.7.7, and 1.7.9, though threat actors frequently update to newer releases).
Axios is a common JavaScript HTTP client used by developers. Its presence alone is not malicious. However, when it shows up in your Azure AD sign in logs or Microsoft 365 unified audit logs, and it is not tied to a known internal application, it deserves immediate scrutiny.
Attackers use automation built on libraries like axios to scale mailbox access, exfiltrate data, and set up mail forwarding rules at scale. This observation aligns with prior research from Field Effect, which first documented the use of axios User-Agent strings in adversary-in-the-middle (AiTM) campaigns targeting Microsoft 365.
What to watch for:
Axios User-Agent strings in sign-in and unified audit logs, particularly when correlated with VPN/proxy source IPs, access to mail read or send operations, or mailbox rule creation events.
Recommendations
Given these findings, organizations should consider implementing the following security controls:
- Enforce phishing resistant authentication. Require FIDO2, WebAuthn, or certificate based authentication for privileged and high value mailboxes. Push and SMS based MFA fails against adversary in the middle tooling. Require FIDO2, WebAuthn, or certificate based authentication for privileged and high value mailboxes. Push and SMS based MFA fails against adversary in the middle tooling. For a deeper look at why MFA alone is not enough, see our previous post on MFA Bypass Attacks: Why MFA is Not a CYA.
- Monitor for VPN and proxy sourced sign ins. Many SIEM and identity platforms can flag sign-ins from commercial VPN and proxy ranges. Build detection rules that correlate VPN-sourced authentication with sensitive actions like mail forwarding rule creation, delegate access changes, or bulk mail downloads.
- Implement proactive domain monitoring. Detect lookalike domain registrations in near real time and initiate takedown activity before campaigns launch. If you want more information on IDX’s domain monitoring and takedown services, contact the IDX Readiness team.
- Baseline your User-Agent landscape. Know which User-Agent strings are normal in your environment. Unexpected programmatic access patterns, especially from libraries like axios, should generate alerts, not just log entries.
- Verify log retention before an incident. Sign-in logs, unified audit logs, message trace data, and inbox rule changes should all be retained and searchable. When a BEC incident occurs, these logs are the difference between a complete investigation and an incomplete one.
- Regularly review third-party application permissions. Threat actors frequently install applications (e.g., PerfectData Software, eM Client) on compromised accounts to exfiltrate data and maintain persistence. Limit user consent for third-party applications and require admin approval for new app installations. For more on this threat, see our post on App Attacks: The Growing Danger of App Consent Misuse in the Cloud.
Conclusion
Across unrelated BEC cases, the same patterns repeated: network obfuscation through commercial VPNs, brand impersonation via low-cost registrars, and programmatic mailbox access using common open-source libraries. These are not sophisticated techniques. They are consistent, detectable signals. Organizations that instrument around these patterns catch BEC activity earlier and limit financial exposure. The question worth asking: would your current detections have surfaced these indicators?
If your team needs help assessing your BEC exposure or responding to a compromise, contact the IDX DFIR team.
About IDX
We're your proven partner in digital privacy protection with our evolving suite of privacy and identity products.