Huntress has been hunting malicious actors across 60,000+ user accounts for almost 2,000 small businesses enrolled in our Managed Detection and Response (MDR) for Microsoft 365 product. With MDR for Microsoft 365 now in general availability (GA), we wanted to shine a light on some of the interesting incidents we identified during our beta phase.
Continuing our series exposing the tradecraft around business email compromise (BEC), this blog will look at how Huntress stopped an attacker’s BEC attack aiming to divert funds into their account and cash in big without the victim knowing.
Catch up on the other BEC tradecraft we caught in part one and part two.
Setting the Stage
Recently, during the beta testing of our new MDR for Microsoft 365 solution, Huntress identified and thwarted a BEC attack against a US-based logistics company. The targeted company regularly liaises with various global vendors, one of which became the focus of this attack.
The cybercriminals were suspected to be monitoring email interactions between our Huntress-protected organization and the Accounts Payable department of the outside trusted vendor. Their suspected aim was to intercept payment information, such as invoices, with the ultimate goal of manipulating routing numbers to divert funds into attacker-controlled bank accounts. In the following case, the user name has been changed to protect the user’s identity.
Attacker Motivations
According to the FBI, “BEC has consistently been the largest dollar loss by victim crime typology reported to IC3, with over $2.4 billion of adjusted losses in the calendar year 2021.” As part of a scheme to get customers to send them money, threat actors will move emails from legitimate vendors to a location the user cannot see so they can then spoof invoices from those vendors. When the victim goes to pay what they believe is a legitimate invoice, they instead transfer money to the threat actor. By the time the victim realizes their payment did not make it to the expected vendor, the money they sent may no longer be recoverable.
Summary of the Attack
The Huntress SOC team was alerted to a suspicious user login from a Nigerian IP. They began tracing the activity of this user and it quickly became clear that the activity was malicious.
Activity Details
The first successful login to the compromised account was detected from an IP address 102.88.63[.]112 in Kaduna, Nigeria
"New-InboxRule" named "jkhjg" was created for the compromised account from a Florida location, but the session traced back to the Nigerian IP address; associated IP address: 102.129.153[.]110
Another "New-InboxRule" named "m,bvc" was created for the compromised account, again tracing back to the Nigerian session; associated IP address: 102.129.153[.]110
Multiple inbox rules were created within the session, affecting email addresses from four different companies: the US logistics company, a clothing brand company, and logistics companies based in Switzerland and China
The threat actor set up forwarding rules for key employees at the vendors, particularly those involved with finance and operations
Analysis of Threat Actor Actions
The Conversation History folder in Outlook is used by Microsoft Teams and does not normally contain emails. The reason this folder was likely chosen by the attacker is that users rarely browse this folder. Marking emails as read will often be done in concert with moving them to a less-used folder to allow threat actors time to manipulate and/or replace legitimate emails.
The email rule names appeared to be generated via a semi-random keyboard walk due to the close proximity of the letters on the keyboard ("jkhjg" and "m,bvc"). This may be an indication that the threat actor was manually creating these rules by hand vs. using scripted automation. We have seen other recent BEC attacks also using short email rule names that appear to be keyboard walks, such as “gggf”, “sss”, “m”, and “.”.
For detecting the above tactics, any inbox rules created to move emails to the Conversation History folder should be closely scrutinized as they are almost certainly malicious in nature. Additionally, inbox rules with short nonsensical names, especially when paired with a Mark as Read action of True, also have a high probability of being malicious in nature.
Parting Thoughts
The rise of financial fraud, particularly through BEC attacks, poses significant challenges to businesses worldwide. It is crucial for organizations to prioritize cybersecurity and adopt comprehensive threat detection and response solutions. The case highlighted in this blog post serves as a reminder that cybercriminals are constantly evolving their tactics and exploiting vulnerabilities in communication channels to defraud businesses.
To effectively combat financial fraud, businesses must remain vigilant, implement strong security measures, and partner with trusted cybersecurity providers.
With MDR for Microsoft 365, you’ll be leveraging Huntress’ global SOC for 24/7 protection against business email compromise attacks. Drop us a line if you’d like to start a trial or learn more from our team!
Special thanks to Max Rogers (@MaxRogers5) and Sharon Martin for their contributions to this blog post.
Continue to part four: Business Email Compromise via Azure Administrative Privileges
• • •
IoCs
- 102.88.63[.]112
- 102.129.153[.]110
ATT&CK TTPs
- Initial Access, T1078.004, valid cloud accounts
