Microsoft has announced it disrupted a large-scale business email compromise (BEC) campaign in which the attackers used forwarding rules to access messages related to financial transactions.
Once the cyber criminals had gained access to the mailbox, they added email forwarding rules that would send messages containing information related to financial transactions, with keywords such as invoice, payment and statement added, to attacker-controlled email addresses. Additionally, the forwarded emails were deleted from the Outbox to avoid detection.
The attackers used a large cloud-based infrastructure for the campaign to automate operations at scale. This infrastructure including the monitoring of compromised mailboxes, the creation of forwarding rules, identifying valuable victims, and processing the forwarded emails. Microsoft reported its findings to the security teams at multiple cloud companies whose services were abused by the cybercriminals, before suspending the attackers’ accounts, which resulted in the takedown of the infrastructure.
According to Microsoft, the attackers attempted to hide the scale of their operation by making it look as if the attacks were not connected to one another. They performed distinct activities from different IP addresses, but used only specific IP ranges for the attacks. This is characteristic of BEC campaigns, as it makes it harder for researchers to correlate the attacks to one organisation.
Multiple virtual machines were used to execute a specific operation, along with DNS records similar to those of existing company domains, to blend into existing conversations or launch more tailored phishing attacks. BEC attacks are constant threats to enterprise-level organisations as they are very stealthy, with attackers hiding in plain sight by blending into legitimate traffic using IP ranges with high reputation and by conducting discrete activities at specific times and connections.
Although the campaign generated very low signals to make it difficult to identify within the usual noise of corporate network traffic, these attacks could have been prevented through proper use of multi-factor authentication, which would have prevented the attackers from logging into the compromised mailboxes.