[BreachExchange] Microsoft Disrupts Large-Scale BEC Campaign Across Web Services

Wed Jun 16 11:46:01 EDT 2021

https://beta.darkreading.com/cloud/microsoft-disrupts-large-scale-bec-campaign-across-web-services

Microsoft has disclosed the details of how it disrupted a large-scale
business email compromise (BEC) infrastructure hosted across multiple Web
services, a strategy that allowed attackers to fly under the radar.

The wave of recent high-profile ransomware attacks may be top of mind for
business leaders, but BEC remains a prolific — and expensive — enterprise
problem. The FBI's Internet Crime Complaint Center (IC3) reported BEC scams
numbered 19,369 and cost approximately $1.8 billion in 2020, during a year
when total losses from cybercrime exceeded $4.1 billion overall.

Part of the reason why BEC campaigns are successful is their stealthy
nature, wrote researchers with the Microsoft 365 Defender Research Team in
a blog post on the BEC campaign disruption. These attacks have a small
footprint, create low signals that don't top defenders' alert lists, and
usually blend in with the typical noise of corporate network traffic.

"The attackers performed discrete activities for different IPs and
timeframes, making it harder for researchers to correlate seemingly
disparate activities as a single operation," they said of the challenges in
analyzing this particular operation.

Researchers traced this campaign to a phishing attack in which criminals
stole user credentials to log in to target mailboxes and create forwarding
rules that would give them access to emails regarding financial
transactions. Before forwarding rules were created, the target mailboxes
received a phishing email with a voice message lure and an HTML attachment.
These emails came from an external cloud provider's address space,
researchers noted.

The HTML file contained JavaScript that decoded a fake login page designed
to look like the Microsoft sign-in page, complete with the username filled
in. Victims who entered passwords saw animations before a "File not found"
message appeared. All the while, their credentials were being sent to
attackers using a redirector, also hosted by an external cloud provider.

Throughout their investigation, researchers saw hundreds of compromised
mailboxes in multiple businesses. All forwarding rules were configured to
send emails to one of two attacker-controlled accounts if the messages had
"invoice," "payment," or "statement." Attackers also added rules to delete
the forwarded emails from the victim's mailbox.

BEC Criminals Look to Cloud

Microsoft's analysis revealed this campaign was run on a "robust"
cloud-based infrastructure that was used to automate attacker operations,
which included finding high-value targets, adding forwarding rules,
monitoring target inboxes, and handling the emails they were after.

In this case, the attackers intentionally tried to make it difficult for
defenders to realize their activities were part of a single campaign — for
example, they ran different activities for different IPs and time frames.
However, researchers noted the attack was conducted from specific IP
address ranges.

"We observed the above activities from IP address ranges belonging to an
external cloud provider, and then saw fraudulent subscriptions that shared
common patterns in other cloud providers, giving us a more complete picture
of the attacker infrastructure," researchers wrote.

They explained how the attackers used a worker structure in the virtual
machines in which each VM only executed a specific operation, which is why
activities came from different IP sources. The attackers also set up DNS
records that appeared similar to existing company domains, so they would
blend in with email messages and could be used in targeted phishing
campaigns.

This research underscores how BEC attackers are investing more time and
effort into evading detection by blending in with legitimate traffic using
IP ranges that have a high reputation and ensuring the steps of their
attack unfold at different times and locations, researchers noted.

As they learned how attackers were taking advantage of cloud service
providers in this campaign, Microsoft's Digital Crimes Unit (DCU) worked
with the Microsoft Threat Intelligence Center (MSTIC) to report its
findings to cloud security teams so the malicious accounts could be
suspended and the infrastructure taken down.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20210616/caab6f2c/attachment.html>