Infostealer Malware Is Fueling Business Email Compromise — Here’s What’s Changing

A closer look at how credential theft is reshaping BEC attacks and what businesses need to do now to stay ahead.

Attacks are no longer limited to spoofed emails

Business Email Compromise (BEC) used to rely on tricking users with fake invoice requests or urgent emails from impersonated executives. While those tactics still exist, the landscape is shifting.

Attackers are increasingly using infostealer malware—lightweight programs that quietly extract saved browser credentials, cookies, and tokens. Once installed, even briefly, these tools give attackers access to real email accounts, often without triggering alarms.

The result is a growing wave of BEC attacks that don’t spoof anyone—they use actual inboxes.

What’s happening behind the scenes

Infostealer logs are bought and sold on dark web marketplaces. They include usernames, passwords, session cookies, and autofill data harvested from infected machines—often without detection. Once attackers gain access to a business email account, they monitor conversations, create hidden inbox rules, and impersonate internal stakeholders or vendors to redirect payments or initiate fraudulent transfers. These messages originate from real accounts, making them far harder to detect than traditional spoofing attempts.

Why this matters now

The surge in infostealer use has created a supply chain of compromise: initial infection, credential resale, and ultimately a targeted BEC attack. Many businesses discover the problem only after money is lost, a vendor relationship is damaged, or legal exposure surfaces.

Traditional email security filters don’t stop this. Once credentials are stolen, attackers bypass filtering entirely by logging in directly. While multifactor authentication (MFA) can help, inconsistent enforcement and token-based session hijacking can reduce its effectiveness.

What organizations should do next

Organizations should begin by enforcing MFA across all cloud platforms and user accounts. Endpoint tools should be in place to detect infostealer activity, such as unauthorized file access or suspicious outbound connections. It’s also important to review mailbox rules for any unexpected forwarding or folder manipulation, and to disable legacy protocols like IMAP and POP3, which are often exploited in these attacks.

Teams should also consider monitoring for dark web exposure or working with vendors who alert them when their credentials appear in breach data. The earlier a compromise is detected, the better the chances of avoiding a full-blown attack.