Threat hunters at Microsoft recently uncovered and disrupted infrastructure that powered a large-scale business email compromise (BEC) campaign. The infrastructure was hosted on multiple cloud platforms, which allowed it to stay under the radar for quite some time.
“The attackers performed discrete activities for different IPs and timeframes, making it harder for researchers to correlate seemingly disparate activities as a single operation,” according to Microsoft 365 Defender researchers, writing in a Tuesday post.
Mailbox Compromise and Message Redirects
In the campaign, adversaries compromised mailboxes not protected by multifactor authentication (MFA) via credential-phishing efforts, and then added forwarding rules that directed selected arriving messages to their own mailboxes. This enabled attackers to monitor for emails about financial transactions that they could then use to further their efforts to steal funds.
“Our analysis shows that shortly before the forwarding rules were created, the mailboxes received a phishing email with the typical voice message lure and an HTML attachment,” according to researchers. “The emails originated from an external cloud provider’s address space.”
The HTML attachment contained JavaScript that dynamically decoded an imitation of the Microsoft sign-in page, with the username already populated, according to the posting, that asked the user to enter their password. Once entered, in the background, the JavaScript transmitted the credentials to the attackers via a redirector, also hosted by an external cloud provider.
In all, researchers observed hundreds of compromised mailboxes in multiple organizations. Across the board, forwarding rules were implemented that said that if the message body contains the words “invoice,” “payment” or “statement,” to forward the email to one of two addresses (ex@exdigy[.]net or in@jetclubs[.]biz). The attackers also added rules to delete the forwarded emails from the outbox in order to remain undetected.
Cloud Infrastructure
Meanwhile, the cloud infrastructure on the backend allowed full automation, providing the ability to operate at scale. The automated tasks included adding the forwarded rules, monitoring compromised mailboxes, identifying the most-valuable victims and processing the forwarded emails, according to Microsoft.
“We observed the…activities from IP address ranges belonging to an external cloud provider, and then saw fraudulent subscriptions that shared common patterns in other cloud providers, giving us a more complete picture of the attacker infrastructure,” researchers explained.
Meanwhile, the cyberattackers used virtual machines (VMs) for execution, using a new VM for each specific operation, which explains why activities originated from different IP sources.
“The attackers also set up various DNS records that read very similar to existing company domains,” according to the analysis. “These are likely used to blend into existing email conversations or used for more tailored phishing campaign against specific targets.”
The attackers loaded various tools onto the VMs, according to researchers, including one called “EmailRuler,” which is a C# application that uses ChromeDriver to automatically manipulate the compromised mailboxes and install forwarding rules. The stolen credentials and information about the state of the mailbox are stored in a local MySQL database. And, a tool called “Crown EasyEmail” was likely used to exfiltrate the forwarded messages.
“These attacks have minimal footprint, create very low signals that don’t rise to the top of a defender’s alert list, and tend to blend in with the usual noise of corporate network traffic,” explained analysts. “BEC attacks unfortunately can stay undetected until they cause real monetary loss because of limited or partial visibility provided by security solutions that don’t benefit from comprehensive visibility into email traffic, identities, endpoints and cloud behaviors, and the ability to combine together isolated events and deliver a more sophisticated cross-domain detection approach.”
Researchers worked with Microsoft Threat Intelligence Center (MSTIC) to report the findings to multiple cloud security teams, which suspended the offending accounts, resulting in the takedown of the infrastructure.
Join Threatpost for “Tips and Tactics for Better Threat Hunting” — a LIVE event on Wed., June 30 at 2:00 PM ET in partnership with Palo Alto Networks. Learn from Palo Alto’s Unit 42 experts the best way to hunt down threats and how to use automation to help. Register HERE for free!