The Unassuming Threat: Business E-Mail Compromise & Office 365 Vulnerabilities
Business e-mail compromise (BEC) is a class of cyber-crime that is growing rapidly. Over the past five years, BEC attacks have resulted in billions of dollars in losses from companies of all sizes across numerous industries.
This post is Part 2 of SecureSky’s multi-part blog series about BEC. In Part 1, we provided an introduction to BEC and discussed why this cyber security threat is increasing. In this post, we’ll take you through a recent SecureSky BEC investigation and explore an example of how BEC is executed against O365 environments.
Threat Investigation: Anatomy of A Business E-Mail Compromise Attack
In early 2019, SecureSky was retained to investigate an in-progress BEC attack. In the course of investigating this attack, we discovered additional compromises at numerous other organizations. This cyber-crime resulted in financial losses of over $250,000 for one company targeted, with smaller losses for numerous other companies. The reality is that we likely only had visibility into a fraction of the scope of this attack campaign, and it is very likely that the total losses attributable to this attack are much higher. Losses were not strictly financial – the attack resulted in significant work disruption for impacts users and necessitates hundreds of hours of work, tracing the attack and communicating with customers and partners to explain the situation and how to limit further risk.
This attack followed the General BEC Attack Sequence (discussed in The Unassuming Threat – Part 1). All of the owners of the sites presented in this post have been contacted, and all attacker-modified content has been taken off-line.
Initial Attack Sequence: Phishing of User and Acquisition of Company Contacts
This BEC attack did not begin with SecureSky’s client (who we will refer to as “Client Target”). Client Target became involved because one of their customers was compromised, and the perpetrator utilized that customer’s infrastructure to phish a Client Target employee.
In late 2018, a Client Target employee (who we will refer to as “Employee Victim”) received a phishing e-mail from a customer contact that included an attachment named “Remittance Advice #100033.xps”. Since this e-mail came from a current customer, Employee Victim assumed the attachment was a notification that a bill had been paid. In actuality, the e-mail attachment was a phishing document created by the BEC attacker. The criminal incorporated that customer’s logo into the attachment, which gave it authenticity (Ex. 1).
Ex.1 Phishing Attachment with Customer Logo
Assuming the e-mail was legitimate, when the Employee Victim clicked the ‘OPEN FILE’ icon in the attachment, they were redirected to a SharePoint URL owned by another compromised organization. This page then prompted Employee Victim to open the SharePoint URL (Ex. 2).
Ex.2 SharePoint Page with URL Link
At this point, you might be wondering – why all this redirection and clicking through SharePoint? Why not send the phishing link directly in the e-mail? The attacker is trying to entice users into clicking malicious links in areas where malicious sites are least likely to be detected by security technology. Phishing links in e-mails are more likely to generate a warning or be blocked (via e-mail protection services like Proof Point) than phishing links on SharePoint pages, which do not always have the same levels of protection.
When Employee Victim clicked the ‘Open’ icon on the SharePoint page, they were finally redirected to an attacker-controlled phishing site designed to look like a Microsoft One Drive login page. The perpetrator’s objective with this fake One Drive page was to trick the Employee Victim into providing their credentials by directing them to click on either login button (Ex. 3).
Ex. 3 Attacker Phishing Page Mimicking Microsoft OneDrive Login
Once clicked, the login buttons brought Employee Victim to a credential capture page that mimics a Microsoft account login (Ex 4).
Ex. 4 Phishing Credential Capture Page
Unfortunately, due to Client Target's existing relationship with the customer, Employee Victim trusted the e-mail and links as legitimate and submitted valid user credentials to the phishing site. Once armed with official credentials, the attacker was able to gain access and authenticate to Client Target's O365 environment and perform actions by impersonating the Employee Victim, including reading and sending e-mails.
Second Attack Sequence: Phishing Via Company Office 365 Tenant
Upon accessing Employee Victim’s e-mail, the attacker immediately created a rule to forward incoming e-mails from the Employee Victim inbox to an attacker-controlled Gmail account.
This forwarding enabled the attacker to see and archive inbound e-mails to Employee Victim, including any potential responses to phishing e-mails the attacker planned to send from the compromised account (Ex. 5).
Ex. 5 Log Establishing E-mail Forwarding
Five days after this action, the attacker sent phishing e-mails to 879 customer e-mail addresses from Employee Victim’s account. The phishing e-mails included the same ‘Remittance Advice #100033.xps’ credential phishing attachment that compromised the Employee Victim. However, instead of using the customer company’s logo in the document, Client Target’s logo was now used (Ex. 6).
Ex. 6 Client Target Logo now used in Phishing E-mail from Employee Victim Account
Two days after the phishing attacks began, Client Target was alerted by a customer that Employee Victim was sending phishing e-mails. Client Target then changed Employee Victim’s credentials and hired a third-party security consultant (not SecureSky) to investigate the incident.
The consultant reviewed the access history of Employee Victim’s account and confirmed that the attacker’s external access to the Victim Company O365 environment had been removed. Victim Company assumed that the incident was closed.
Third Attack Sequence: Financial Phishing via Compromised Office 365 Tenants & Phishing Domains
While the perpetrator’s access to Client Target's O365 environment was eliminated, the threat itself was not. The perpetrator changed platforms and tactics to exploit Client Target financially.
It was not until after account access was revoked that the attacker appeared to recognize the true value of Employee Victim’s account. The key asset obtained in this BEC was not access to the account or to Client Target's O365 environment, but the attacker’s recognition that Employee Victim held a sensitive position in Accounts Payable and that their contacts implicitly trusted e-mailed billing instructions sent from Employee Victim.
The attacker did not appear to realize this at first, as the initial phishing BEC from the Employee Victim account were attempts at credential phishing contacts (see Second Attack Sequence above).
30 days after attacker access to Employee Victim account was revoked, and Client Target had assumed the incident was closed, phishing e-mails to Employee Victim contacts resumed. Without access to Employee Victim’s account, a different platform was needed from which to base attacks. To do this, the attacker created phishing domains that closely resembled Client Target's domains (e.g., instead of clienttarget.com, the attacker registered and used cleinttarget.com). This is a long-standing phishing technique, and an example of the different approaches the attacker used to extract every possible dollar from this attack.
These phishing e-mails were formatted to resemble Employee Victim e-mails, including use of the exact signature, font sizes, and the Client Target's logo. However, instead of attempting to lure targets to submit their credentials to phishing sites, the BEC was focused on financial fraud. The objective was to redirect payments intended for Client Target to an attacker-controlled account (Ex. 7).
Ex. 7 Phishing E-mail from Employee Victim Account
This new set of e-mails notified the recipient that Client Target bank account information had changed. When the recipient requested details, the perpetrator responded with a falsified Wells Fargo Bank certification letter (Ex. 8). This new payment information pointed to bank accounts controlled by the attacker.
Ex. 8 Falsified Banking Letter Sent to Employee Victim Contacts
Appearing to have originated as PDF scans of legitimate documents, these forged bank documents were modified using an editing program. SecureSky team’s analysis of the forged letters identified multiple layers of fraudulent information with different sets of banking information overwriting the original content. It appears the attacker had used the document for a number of other BEC campaigns.
So where exactly were the new round of intrusions coming from? In this phase, the attack originated from yet another compromised O365 tenant, one where the attacker had administrative privileges. The attacker used administrator privileges to host the phishing domain (cleinttarget.com) on the compromised infrastructure, and to send the phishing e-mails to Client Target's contacts.
After receiving reports from customers about additional suspicious e-mails, Client Target engaged SecureSky to provide response services. We immediately contacted the domain registrar to take down the phishing domain. We also identified and contacted the compromised O365 tenant, based on DKIM authentication headers in the phishing e-mails. The compromised tenant removed perpetrator’s access to the tenant environment. But that did not stop further attempts of establishing phishing domains, we had more fake domains taken down the very next day.
While assisting this compromised tenant to remediate their O365 environment, SecureSky recognized that this tenant had been used as a platform for the attacker for some time, hosting numerous phishing domains for numerous global companies. SecureSky contacted all companies with phishing domains hosted on this compromised tenant.
Final Attack Sequence: Financial Phishing Via Compromised E-Mail Accounts
As you can see, this attacker was persistent. After initial access to Client Target's O365 environment was detected and revoked and multiple phishing domains were taken down, the attacker changed attacks again.
Several Client Target contacts had responded to previous phishing e-mails sent by the attacker. In attempts to extract money from these contacts, the perpetrator continued the phishing campaign by using individual compromised GoDaddy e-mail accounts.
So over two months after the initial compromise of the Employee Victim account, another round of phishing e-mails were sent to Client Target contacts. These e-mails had the following deceptive characteristics:
- The From address was firstname.lastname@example.org (Employee Victim’s actual e-mail address).
- The Reply-To address was email@example.com, directing replies to that address. The accountant.com domain has a history of association with malware campaigns.
- The actual account sending these e-mails (determined by examining the e-mail headers) was a legitimate GoDaddy web-mail account at yet another compromised company. SecureSky contacted that company and informed them that this account had been compromised.
- The e-mails in this phase were requesting physical checks to be re-issued, payable to a different payee than Client Target at a new mailing address.
- The physical mail address was traced to an apartment at a complex with a history of violence and theft. Since the attacker would be expecting to pick up checks at this location, we notified the apartment management company and law enforcement.
After this account was shut down, more attempts were made to contact Client Target customers by using additional compromised e-mail accounts. We got in touch with the owners of these accounts, as well as the hosting providers, to remove the attacker’s access. Two and a half months after the initial compromise, the BEC attack finally subsided.
Threat Investigation: Attack Conclusion
This BEC is just one example of how much damage can be done over a relatively short amount of time. Effective protection, detection, and response to the attack presented in this post depends on three key areas:
- Office 365 Configuration – Numerous O365 security configuration settings could have better protected the Victim Company environment against the attack described in this post. (Part 3)
- Office 365 Threat Detection – Enablement of appropriate auditing and logging in O365 environments can help organizations detect BEC attacks and compromise. (Part 4)
- Security Awareness – How employees know when they are being targeted by BEC? What signs can they look for to identify if they have already been compromised? (Part 5)
With the right tools and training, risks of BEC attacks can be reduced. We encourage you to follow the remainder of our blog series, as we will focus on key O365 configuration settings that organizations can implement to protect against BEC attacks (Part 3), logging and auditing capabilities in O365 that are indicative of BEC attacks and compromise (Part 4), and how employees can tell when they have been targeted by BEC (Part 5). The final post in this series will speculate about what a BEC organizational structure might look like (Part 6).
We also invite you to subscribe to our blog and stay informed on important cloud security issues