It is a good time to implement Multi-Factor Authentication (MFA), if you have not already done so. Microsoft researchers recently discovered and disrupted a large-scale business email compromise (BEC) infrastructure hosted in multiple web services. The hackers used compromised mailboxes via phishing emails. They added forwarding rules to get access to emails about financial transactions.
Initial access via phishing
The attack starts with a phishing email, sent to the mailboxes, with the typical voice message lure and an HTML attachment.
Figure 1. Sample phishing email used to steal credential to be used for BEC attack
Once the end user opens the attachment, the embedded JavaScript produces an imitation Microsoft Sign-in page.
Figure 3. Forwarding rules created on compromised account.
Microsoft Alerts would have sent you an email warning of the compromised email account. It looks like this.
The user account has been restricted from sending outbound messages. Learn more.
Details:
Recommendations:
It’s very likely that the user account has been compromised. We recommend that you review the following information and take any actions as necessary. Learn more
– Review mailbox delegates
– Review mail forwarding rules to external domains
– Review global mail forwarding property on mailbox
– Enable mailbox auditing logs
– Review audit log details for the user account
– View/edit mailbox settings
– Ensure protection
To protect accounts from further compromise, we recommend you enable the following features on the account:
– Enforce complex passwords on the account
– Enable multi-factor authentication
When the end user entered their password, they are presented with “File not found”
Figure 2. Phishing page serving a fake error
In the background, the JavaScript transmitted the credentials to the attackers to an external cloud provider.
Email forwarding rules were also created. They look like this.
Keep in mind that multi-factor authentication (MFA) prevents attackers from signing into mailboxes. Attacks like this can be blocked by enabling MFA.
Contact us to get setup!
