The initial focus of Redscan’s assessment was analysis of email logs relating to the Office 365 accounts suspected as being used to instigate the fraud.
The team quickly identified that six weeks prior to the BEC attack, one of the Office accounts, belonging to a senior-level employee, had received a phishing email.
Purporting to be from Microsoft®, the email claimed that the user’s account may have been accessed and for security reasons requested that the user sign in to review activity.
Working on the basis that the phishing attempt had been successful, leading to the harvesting of the user’s Office credentials, Redscan set about reviewing audit logs relating to the account in question.
It soon became clear that an attacker had successfully accessed the account from an unidentified IP address.
Mailbox rules designed to scan all incoming emails for keywords, move them to the user’s RSS Subscriptions folder within Outlook®, and mark them as unread were promptly introduced. This course of action would help the attacker to quickly identify emails of interest and prevent the compromised user from viewing and responding to them.
One email thread to capture the attention of the attacker was related to the billing of two high value invoices, which had been raised by the insurance firm to one of its clients.
Redscan analysis of the firm’s email logs reveals that the attackers had used the information gathered in reconnaissance to create a chain of spoof email communications designed to imitate the compromised user and request payment of the outstanding invoices to a substitute bank account.
The source of the spoofed emails was a domain set up to closely resemble that of the insurance firm, so that the difference would not be easily discernible.
Additional attempts by the attacker to conceal the fraud were uncovered by later analysis, which showed that any incoming emails from the firm’s client to the compromised Office account were promptly deleted.
The creation of additional fake email accounts pertaining to colleagues of the compromised user and suggestion that one of these colleagues would call the client to provide verbal verification of the bank payment details supplied were also designed to increase the likelihood of the BEC succeeding.
Even at the point where the attack was close to being foiled, the attacker did not relent. Further analysis of event logs revealed that an email rule had been set within the compromised account to auto-forward all incoming and outgoing emails to an external Gmail address.
Over the course of a week following detection of the attack, the email forward had delivered over 280 emails to this fraudulent account, resulting in the continued disclosure of highly confidential client details and payment information to the attacker.
Having established the means of attack, Redscan’s CIRT team set about identifying how the compromise was able to occur. Analysis of audit logs reveals that, following the original phishing attack, which led to Office 365 credentials being harvested, hundreds of account login attempts were initiated from a range of malicious IP addresses.
These attempts originated from IPs in Nigeria, China and later, UAE, from where a number of successful logins were eventually made.
While it’s possible that the failed authentication attempts may be unrelated to the BEC attack, this is unlikely to be a coincidence. One theory is that the compromised user may have, in falling foul of the phishing attempt, entered incorrect account credentials. This led to brute force attempts to identify the genuine password.
Upon detection of the BEC attack, the insurance firm’s IT staff made the decision to lock down the compromised account and enforce multi-factor authentication for all Office 365 users. While this course of action was effective at preventing subsequent malicious login attempts, it was not until the Redscan team identified and disabled email forwarding that the attack was safely contained.
Having concluded its investigation, the Redscan team produced a formal incident report outlining a full timeline of events. The document also included recommendations to help the firm prevent and detect future attacks.