Microsoft takes down large-scale campaign to steal information from business email

Business email compromise (BEC) was stealing sensitive financial details from victims' emails and could bypass MFA

Researchers at Microsoft's 365 Defender Research Team claim to have uncovered and dismantled a sprawling Business Email Compromise (BEC) campaign that was stealing sensitive financial details from victims' emails using sprawling cloud infrastructure.

According to the researchers, the attackers' robust cloud infrastructure was hosted across multiple web services, enabling them to automate their operations at scale and to stay under the radar for quite some time.

The scammers used the infrastructure to compromise mailboxes via phishing and add email-forwarding rules to have access to messages about financial transactions.

Stefan Sellmer, from Microsoft 365 Defender team and Nick Carr, from Microsoft Threat Intelligence Center (MSTIC) shared details about the campaign in a joint blog post published on Monday.

The analysis revealed that phishing emails from attackers contained an HTML attachment that masqueraded as a voice message.

Once the attachment was clicked by the victim, it would show a Microsoft login page with the username already filled out. After the target entered the password to sign in, the page would generate a "file not found" message.

Meanwhile, the credentials would be transmitted to the criminals, enabling them to access the email account, set up the forwarding rules and eventually steal sensitive details.

The email forwarding rules allowed the cyber actors to redirect selected incoming messages (those containing the words "payment," "invoice" or "statement") to their own mailboxes.

"The attackers performed discrete activities for different IPs and timeframes, making it harder for researchers to correlate seemingly disparate activities as a single operation," the researchers said.

They also found a way to circumvent multi-factor authentication (MFA) by exploiting legacy protocols, for example POP3/IMAP, which the victims had forgotten to disable.

BEC attacks are usually difficult to identify as they blend in with genuine network traffic and don't appear on a defender's alert list.

The software company correlated the latest BEC attack to an earlier phishing campaign, which enabled cyber criminals to get victim's credentials and have access to their Office 365 mailboxes.

After tracking the attackers cloud infrastructure, the researchers reported the findings to multiple cloud security teams and law-enforcement agencies, which suspended scammers' accounts and dismantled their cloud infrastructure.

Microsoft is now advising people to use multi-factor authentication that would help thwart such phishing attacks and protect confidential information from cyber criminals.

It comes about three months after FBI's alert in March which said that cyber criminals were increasingly targeting US government entities in BEC attacks, with losses ranging from $10,000 up to $4 million from November 2018 to September 2020.

Last year, the FBI also warned that BEC scammers were exploiting email auto-forwarding and cloud email services like Google G Suite and Microsoft Office 365 to steal confidential information from victims.