How the L10NS3C shield detects, intercepts, and documents a Business Email Compromise attack targeting real estate escrow transfers.
A mid-size title firm processes 40-60 escrow closings per month. Average wire transfer: $340,000. The attack targets not the firm's perimeter — but the trusted relationship between the closer and the vendor.
Attacker monitors title firm social feeds, identifies a construction lender issuing draw requests weekly. Spoofs lender domain. Registers MX + SPF.
Email from spoofed domain to closer: "Updated wiring instructions for close #4829." Attached PDF with new routing number. SPF: pass, DKIM: pass, DMARC: none.
$340,000 wired to attacker-controlled account. Funds move to three intermediary banks within 90 minutes. Detection window: CLOSED.
The above attack succeeds because no edge security layer validates the relationship between domains — only the technical posture of individual messages. Sanctum closes this gap with three detection engines.
Every TLS handshake produces a JA3 hash. Legitimate servers have predictable clock-skew (±5ms). Attackers proxying through residential VPNs exhibit skew variance >200ms.
A domain that has never emailed the firm but presents perfect SPF/DKIM receives a relationship score of 0.2/1.0. Below 0.5 on first contact: held for challenge-response.
Sanctum issues a DNS-based challenge. The sender's MTA must resolve a dynamic TXT record within 12 seconds. Bulk-send infrastructure consistently fails.
EVENT: BEC_INTERCEPT_20260503_142200 STATUS: BLOCKED SOURCE IP: 185.220.101.42 (Tor exit) JA3: e1e4f1c5b5e5d3f7a8b9c0d1e2f3a4b5 CLOCK: +247ms (THRESHOLD_EXCEEDED) SCORE: 0.15 (NO_PRIOR_CONTACT) CHALLENGE: TIMEOUT (24.3s / 12s MAX) EVIDENCE: /var/lib/aegis/evidence/20260503-142200.pcap NIST: IR-4, AU-3, SC-7 MITRE: T1566.002, T1204, T1485 FBI IC3: ready
Sanctum is part of the AEGIS-SIGMA Enterprise Trust Layer. It operates as a transparent SMTP gateway — no MX record change required, no mail flow disruption. Deployment completes in under 4 hours.