How can I detect business email compromise (BEC) from email headers?

Understanding Business Email Compromise

Business Email Compromise (BEC) represents one of the most financially devastating cyber threats facing organizations today. The FBI estimates that BEC attacks have cost businesses over $43 billion globally. Unlike ransomware that makes itself obvious through encrypted files and ransom notes, BEC attacks are often silent—a compromised email account sends fraudulent wire transfer requests that executives or accounts payable staff authorize without suspicion.

The challenge with BEC detection is that the attacker doesn't need to break complex security measures. They simply need to compromise a single email account, then use it to impersonate the legitimate account owner. However, even when attackers control an account, their emails often leave subtle fingerprints in the email headers that security professionals and IT administrators can detect. Learning to read these headers is a critical defensive skill.

What Email Headers Reveal

Email headers contain extensive metadata about how a message was routed through the internet, what systems processed it, and what authentication checks were performed. Headers are layered—each mail server adds its own information as the message passes through the network. This creates a forensic record of the message's journey.

Most email clients hide headers from typical users, showing only basic information like "From," "To," "Subject," and "Date." But the full headers contain dozens of fields that tell the complete story of the message's origin and path.

Red Flags in Email Headers Indicating Compromise

1. Unusual Sending Infrastructure

A compromised account typically sends emails from unusual IP addresses or mail servers that differ from normal activity patterns.

What to look for:

• Received headers from unexpected locations: A CFO whose emails normally come from company mail servers suddenly appearing to send from a residential IP address or VPN
• Unusual Received-SPF results: If the normally authenticating domain suddenly shows SPF failures, the attacker may be sending from a different server
• Mismatched mail server information: The X-Originating-IP header showing a location inconsistent with the employee's usual location

Example: Your CEO typically sends emails from the corporate mail server in New York, but a fraudulent wire transfer request comes from a residential ISP in Nigeria with different mail server hop patterns.

2. Time and Timezone Inconsistencies

Email headers include precise timestamps from each hop in the routing path. Attackers often work during different times than legitimate employees.

What to look for:

• Unusual sending times: A finance director who normally works 9-5 Eastern Time suddenly sending urgent payment requests at 2 AM EST
• Timezone mismatches: An employee whose vacation notice mentioned they'd be in Tokyo now has headers showing the email originated from Pacific Time zone servers
• Date header tampering: Multiple Received headers from different times suggesting the attacker modified the Date field to appear legitimate

Example: Your VP of Operations normally sends emails during business hours. An "urgent" wire transfer approval arrives at 3 AM with Received headers showing the message was processed during that time.

3. Authentication Failures and Misalignments

DMARC, SPF, and DKIM provide authentication information in email headers. When an account is compromised and the attacker logs in normally, authentication might pass, but subtle misalignments can appear.

What to look for:

• Unexpected DKIM failures: The legitimate domain's DKIM signature absent or invalid
• SPF domain misalignments: The envelope sender domain (Return-Path) differs from the visible sender domain
• DMARC fail but pass: Messages that fail DMARC alignment but somehow pass corporate filtering (suggesting the email went through an unusual path)
• Authentication-Results anomalies: The authentication-results header showing unexpected pass/fail combinations

Example: Your domain has strict DMARC enforcement with p=reject, but an email from your CEO still arrives with "dmarc=fail" in the Authentication-Results header.

4. Unusual Routing Patterns

The Received headers trace the email's path through the internet. Legitimate internal emails follow predictable paths. Compromised accounts often show unexpected routing.

What to look for:

• Excessive hops: A message bouncing through 10+ servers when internal emails typically use 2-3 hops
• Unexpected intermediaries: Messages routing through external mail servers before reaching your organization
• Reverse routing: The email leaving your organization then re-entering from a different entry point
• Spoofed relay headers: Received headers claiming to be from your mail servers but with suspicious IP addresses

Example: A normal internal email travels directly: Your Office365 server → Your Exchange server. A suspicious email shows: External VPN → Third-party mail relay → Another relay → Your Office365 server → Your Exchange server.

5. Header Inconsistencies and Contradictions

Attackers often make mistakes when crafting fraudulent headers. Different header fields might contradict each other.

What to look for:

• Mismatched sender information: The "From" header claims one email address while X-Originating-Email claims another
• Conflicting recipient information: BCC headers showing unexpected recipients
• Date conflicts: The message Date header is far older or newer than the Received header timestamps
• User-Agent anomalies: Software information that doesn't match what the account holder typically uses

Example: The From header shows [email protected], but the X-Originating-Email header shows an AOL address associated with the attacker.

Advanced Header Analysis Techniques

Understanding the Complete Received Chain

Email headers contain a chain of Received headers, one from each mail server the message passed through. Read them from bottom (originating point) to top (final destination).

Each Received header typically contains:

• from: The sending mail server
• by: The receiving mail server
• with: The protocol used (SMTP, SMTPS, etc.)
• id: Message ID assigned by that server
• Timestamp information

A normal internal email might show: Originating mail server → Company mail gateway → Final destination.

A compromised account's email might show: Attacker's IP → Third-party relay → Company mail gateway → Final destination.

Analyzing Header Field Combinations

Some red flags only appear when analyzing multiple header fields together:

The SPF-DKIM-DMARC Triangle: If an email from your domain shows:

• SPF: Fail
• DKIM: Fail
• DMARC: Fail

...but still reached users' inboxes, it either came through an unusual path or was delivered despite policy. This is suspicious.

The Authentication Gap: If the message passed your domain's authentication but shows suspicious Received headers, the attacker may have compromised the account and is using legitimate credentials.

The Timestamp Gradient: If Received header timestamps show increasing delays between hops (each server takes longer to process), it suggests the message was queued at intermediaries, consistent with an attacker using external relays.

Using Email Analysis Tools

Email header analysis tools can help parse complex headers, but understanding the fundamentals is crucial. Tools like Email Header Analyzer can:

• Extract and parse all header fields
• Identify SPF/DKIM/DMARC results
• Map the message's routing path
• Highlight anomalies and suspicious patterns

However, the best tool is an educated security professional who understands what legitimate and compromised emails should look like.

BEC Attack Patterns in Headers

CEO Fraud Variant

The attacker compromises a legitimate executive email account:

• Headers show normal authentication (uses the real account)
• Unusual timestamps (attacker works different hours)
• Modified Subject lines (common spoofing technique)
• Urgent language in message body (social engineering)
• Requests go to finance staff (not the executive's normal contacts)

Header indicator: Normal authentication but suspicious patterns in timestamps and routing combined with the unusual request type.

Vendor Impersonation Variant

The attacker creates a new domain similar to a trusted vendor and sends invoices:

• Headers show the spoofed vendor domain
• SPF/DKIM may pass (for the spoofed domain)
• But alignment may fail for your organization's domain
• Domain similarity to real vendor (misspellings, domain extensions)

Header indicator: SPF/DKIM pass for a look-alike domain, not your organization's domain.

Account Compromise Variant

The attacker gains credentials through phishing and logs into the real account:

• Headers show normal authentication (legitimate credentials used)
• But timestamps differ from normal activity
• Message content differs from usual communication style
• Recipients differ from normal email patterns

Header indicator: Normal headers but behavioral anomalies in sending patterns.

Building a Baseline for Your Organization

Effective BEC detection requires understanding "normal" for your organization:

Create Employee Profiles

• What time zones do your employees work in?
• What mail servers send their emails (Office365, Google Workspace, on-premises Exchange)?
• What's their typical send/receive pattern?
• Do they use mobile devices (different User-Agent headers)?
• Do they forward emails to personal accounts?

Document Unusual But Legitimate Patterns

• Does your CEO travel internationally and send from different regions?
• Do certain departments use third-party marketing or shipping platforms?
• Are there authorized forwarding rules to external accounts?

Establish Alert Thresholds

With this baseline, you can flag:

• Emails from new and unusual IP addresses
• Timestamps far outside normal working hours
• Authentication changes from usual patterns
• Routing paths that deviate from normal

Responding to Suspected BEC Incidents

If you detect BEC indicators in headers:

1. Don't rely on headers alone: Investigate through multiple methods (account access logs, mailbox rules, device activity)

2. Preserve evidence: Download the complete email with full headers for forensic analysis

3. Check mailbox activity: Review the account's recent activity, login locations, and sent items folder

4. Verify the request: Contact the alleged sender through a different communication channel to confirm legitimacy

5. Secure the account: Reset passwords, review forwarding rules, enable MFA if not already enabled

6. Investigate access: Determine how the account was compromised—phishing, credentials reuse, password spray, etc.

7. Block similar emails: Create rules to quarantine emails with similar patterns pending verification

Best Practices for BEC Prevention

While header analysis is crucial for detection, prevention is better than detection:

• Implement DMARC, SPF, and DKIM strictly to prevent domain spoofing
• Enable MFA on all email accounts, especially executives and finance staff
• Monitor for unusual email rules that automatically forward emails to external accounts
• Educate users on BEC tactics and the importance of verifying unusual requests
• Implement email security solutions that analyze headers and detect anomalies
• Use display name verification in email clients to show the actual email address
• Create verification procedures for large financial transactions independent of email
• Log email header information for forensic investigation capability

Conclusion

Email headers provide a wealth of forensic information for detecting business email compromise. By understanding SPF/DKIM/DMARC results, analyzing Received header chains, identifying timing anomalies, and comparing patterns against your organization's baseline, security professionals can detect compromised accounts before attackers extract significant value.

The key is moving beyond basic email security and developing deep expertise in header analysis. Organizations that invest in this capability dramatically reduce the financial impact of BEC attacks, often stopping threats before money changes hands or sensitive data is exfiltrated. When combined with technical controls like DMARC enforcement and MFA, header-based detection becomes part of a comprehensive defense-in-depth strategy against one of today's most costly cyber threats.