Investigating a sophisticated email business compromise attack on an insurance provider
Concerned about the impact of a business email compromise (BEC) attack, which resulted in an attempt to defraud one of its customers out of nearly £300k, a leading independent insurance broker approached Redscan to investigate the source and scope of the attack.
- High volumes of sensitive data
- Compromised by cybercriminal
- Victim of Business Email Compromise
As a specialist firm providing insurance advice for high value business mergers and acquisitions, Redscan’s client processes a wealth of sensitive data.
Despite maintaining a high level of security, the firm discovered that it had been compromised by a cybercriminal and used as a platform to launch a Business Email Compromise (BEC) attack designed to trick one of its clients into paying two open invoices, with a total value close to £300k, into an alternate bank account.
Fortunately, on this occasion, the attack was detected by the firm before any payment was made by the client – a vigilant member of staff from the client company had insisted on verbal verification of the financial details supplied, leading to an alarm being raised.
Nevertheless, the firm was keen to understand the extent of the compromise and how to safeguard against similar threats.
In need of support from an expert cyber security company to help shed light on events surrounding the attack, the firm turned to Redscan, a leading provider of threat detection and response services, to conduct a full forensic investigation.
- Analysis of email logs
- Identification of point of compromise
- Discovery of client firm targeting
- Tracing of attack source
The initial focus of Redscan’s assessment was analysis of email logs relating to the Office 365 accounts suspected as being used to instigate the fraud.
The team quickly identified that six weeks prior to the BEC attack, one of the Office accounts belonging to a senior-level employee had received a phishing email.
Purporting to be from Microsoft®, the email claimed that the user’s account may have been accessed and requested that the user sign in to review activity for security reasons.
Working on the basis that the phishing attempt had been successful, leading to the harvesting of the user’s Office credentials, Redscan set about reviewing audit logs relating to the account in question.
It soon became clear that an attacker had successfully accessed the account from an unidentified IP address.
Mailbox rules designed to scan all incoming emails for keywords, move them to the user’s RSS Subscriptions folder within Outlook®, and mark them as unread were promptly introduced. This course of action would help the attacker to quickly identify emails of interest and prevent the compromised user from viewing and responding to them.Read more