A coordinated operation targeted the shared infrastructure used to scale business email compromise campaigns worldwide.
Microsoft announced that it worked with international law enforcement partners to dismantle an infrastructure cluster used to support large-scale business email compromise activity linked to a service known as RedVDS. According to Microsoft, RedVDS provided low-cost virtual machines that criminals used to send phishing emails, host credential harvesting pages, and operate payment diversion schemes across multiple industries. The takedown involved seizing domains, disrupting hosting services, and cutting off payment channels that supported the operation.
Investigators found that threat actors used RedVDS virtual machines as disposable launch points for phishing campaigns targeting Microsoft 365 and other email platforms. Once credentials were obtained, attackers monitored compromised mailboxes and waited for legitimate payment-related conversations to appear. At carefully chosen moments, they sent fraudulent replies that altered bank details or payment instructions while reusing authentic signatures and prior message context. Microsoft said the scale of the operation was enabled by the ease of spinning up large numbers of virtual machines, which allowed attackers to rotate infrastructure quickly and avoid detection while targeting organizations in sectors such as finance, real estate, healthcare, and manufacturing.
Reporting from The Register describes RedVDS as a cybercrime-as-a-service platform that sells access to disposable virtual dedicated servers for as little as $24 a month. The rented machines are commonly used to send phishing emails, hijack cloud email accounts, and run large-scale fraud schemes. Microsoft estimates that activity linked to RedVDS has resulted in roughly $40 million in reported fraud losses in the United States alone, showing how low-cost, rapidly replaceable infrastructure can scale business email compromise operations.
Microsoft said the operation demonstrated how business email compromise campaigns rely on shared fraud services rather than bespoke infrastructure. Company analysts noted that the service combined high-volume hosting with automated tooling that reduced the effort required to run complex fraud schemes. Law enforcement partners supported the action by tracing payment flows, identifying infrastructure dependencies, and coordinating cross-border disruption. Microsoft said it continues to pursue legal and technical measures directed at disabling services that enable fraud at scale rather than focusing only on individual compromised accounts.
Business Email Compromise (BEC) remains one of the most damaging cyber threats organizations face, largely because it doesn’t rely on malware or obvious red flags. According to the FBI’s 2024 Internet Crime Complaint Center report, businesses lost $2.8 billion to BEC attacks in 2024 alone, bringing total losses to $17.1 billion since 2015. These schemes work because they exploit everyday business realities: trust between colleagues, routine financial requests, and familiar email conversations.
Stopping BEC requires more than basic spam filtering. Many of these messages look legitimate on the surface, which is why they often reach inboxes unchecked. Paubox Inbound Email Security is built to address that gap. Instead of relying only on known signatures or links, it assesses context, sender behavior, and domain signals to catch impersonation and account takeover attempts before users ever see them. The result is added protection where traditional email security tools tend to fall short, without placing an extra burden on employees or IT teams.
Business email compromise involves attackers gaining access to or impersonating legitimate email accounts to trick recipients into sending money or sensitive information.
They allow criminals to quickly deploy and discard infrastructure, making campaigns easier to scale and harder to trace back to individuals.
They often observe conversations silently, learn normal communication patterns, and intervene only when a payment or transfer is expected.
Finance, real estate, healthcare, legal services, and manufacturing are common targets due to regular high-value transactions.
They can enforce strong authentication, implement payment change verification procedures, restrict mailbox access, monitor for anomalous login activity, and train staff to validate unexpected payment requests through separate channels.