The Rise of Phishing Leading to Business Email Compromises

What We Have Seen

The Aspire SOC have noticed a recent rise of phishing emails resulting in business email compromises. Phishing is when a malicious actor crafts an email using various social engineering methods to convince the recipient that it is legitimate and to urge the user into interacting with it. The user then interacts with the email which will allow the threat actor to potentially compromise an account, when the account is a cloud-based email account, this is known as a Business Email Compromise (BEC).

Recently we have seen an increase in credential harvester emails that bypass security measures and convince the user to enter their login details on a crafted webpage that mimics the office.com webpage. This webpage will then sign the threat actor into the user’s account in real-time as the details are entered by the user, effectively bypassing further security measures such as 2FA.

After compromising the account, the threat actor can take several actions that will allow for further objectives to be achieved whether that be registering an application, sending further phishing emails, modifying mailbox settings and rules, monitoring emails, or hijacking email threads.

With the average time to detect a threat being several months, a business email compromise can have a substantial impact on the organization and is a threat that cannot be ignored.

Overview

Phishing is one of the most common causes of breaches for many organizations out there. With the number of ways that threat actors can bypass security measures and with the number of tools available to adversaries, including AI, phishing is a low cost, high reward scenario. For more information you can read our blog post on other social engineering attacks.

A business email compromise can vary in criticality depending on the user affected. If a user of the finance, HR, or managerial team is compromised this can mean the leaking of personal/confidential information and may necessitate the informing of agencies such as the ICO or the police, this can also lead to email thread hijacks leading to false payments being made. All of which can have a large reputational and financial effect which would be detrimental to the company.

How Threat Actors Bypass Email Security Measures

Threat Actors have several measures to bypass typical security features that would prevent the email from being delivered. Normal email security will prevent a phishing email being delivered should there be a phishing link in the email. This is bypassed by using legitimate websites or non-malicious attachments that will then lead to the landing page for the credential harvester.

Some methods that we often see are:

• The use of a crafted URL through URL shortening or redirects.
  

Example of URL shortening, hiding the full URL.

• An attachment or link to a legitimate site that redirects to a malicious landing page.
• The use of legitimate, previously compromised email addresses.
• Prevention of scanning the webpage using a ReCAPTCHA prompt or Cloudflare like page.
  

Targets of Business Email Compromises

Threat actors will often aim to compromise any account they can, with the hopes to eventually gain access to one of the following accounts:

• Executives and Managers because details about them are often publicly available on the company website, and these accounts often hold valuable information.
• Finance employees such as controllers and accounting staff who have banking details, payment methods, and account numbers.
• HR managers with access to employee records which hold personal information.

Post Compromise Threat Actor Methodology

Depending on the goals of the adversary, post compromise activity can be varied. We often see that mailbox rules will be put in place to prevent emails from being seen by key individuals. This may include directors or the originating breached account to prevent the user from being informed of the compromised account or, in the instance of email thread hijacking, the targeted organization. Should the threat actor send phishing emails from the account they may filter all emails and mark them as read to prevent the user from noticing this attack.

We’ve also seen on a few occasions the threat actor registering applications for further use or registering MFA on the account to maintain persistence into the account. Often the adversary is looking to gain access to a key account, whether that be a privileged account, one with elevated permissions, or one that will contain information that can be exploited, such as a financial, managerial, or HR employee,

Identifying Compromise

There are several Indicators of Compromise (IOCs) in key areas that we can look for to identify a breach.

Sign-in Logs

• Impossible travel: Sign ins within a short span of time from different geolocations that are not probable for normal travel.
• Device/User-agent: Monitoring the device and user-agent associated with a sign in can be a good indication of compromise. If a sign in is not on a registered device and not one that the user uses or should be accessing their account on can be a potential red flag.
• Access to the following Applications/resources:
  • Office365 Shell WCSS-Client’ (indicative of browser access to Office365 applications)
  • ‘Office 365 Exchange Online’ (indicative of post-compromise mailbox abuse, data exfiltration and email threats proliferation)
  • ‘My Signins’ (used by attackers for MFA manipulation)
  • ‘My Apps’
  • ‘My Profile’
• IP Addresses: IP Addresses can tell us a large amount of information, a basic investigation using open-source tools can tell us if the IP relates to a VPN, the Geolocation information, and the general reputation, giving us insights into the legitimacy of the sign in.
• Suspicious Failed & Successful Sign ins: A large number of failed sign ins followed by a successful sign-in can indicate brute forcing of passwords to gain access to an account. A single successful sign-in is usually indicative of phishing being used to compromise an account.

Audit Logs

A user’s audit logs can tell us a host of information regarding what actions a user is taking. The two main areas of interest are the Entra Audit log and the Unified Audit Logs. Entra Audit logs will show us what Entra actions have been taken by an account such as password resets, MFA registration, Application registrations.

The Unified Audit Log provides more information in regards to all actions taken by a user such as the adding or removing of mailbox permissions, any synchronization events, email deletions, and SharePoint access. These logs provide a wealth of information to help us identify any activity that may have taken place which is out of the ordinary.

Mailbox

New Rules: Aspire have found that adversaries will often create several malicious rules are created with the name “.”, “..”, “…” which will usually mark select emails as read and filter them into the “RSS Feeds” or “Conversation History” folder. In our experience, these are often malicious but can also point us to further accounts to investigate.

The benefit of an adversary taking this action is due to these folders being default folders within Outlook that most users will not often access. So, no visual changes will occur to the compromised user. The adversary can then control communications between selected users and hijack emails they find valuable.

Emails

Within a user’s emails is usually where we can find our initial access through phishing. To identify these ourselves we must understand what they may look like:

Example One: Typo-squatted Domains

Example from https://www.researchgate.net/figure/Typosquatting-Examples_fig2_321233558

These domains are used to spoof legitimate websites or emails to impersonate a specific user. These are usually small modifications to a legitimate domain, as seen in the example above.

Example Two: Legitimate Email/Suspicious Links

Example of a legitimate email being used with a suspicious link.

Recommendations

• Email Filtering and Anti-Phishing: Deploy solutions to identify and block phishing emails, malicious attachments, and suspicious links. Regularly update and configure for evolving threats.
• Email Authentication: Implement SPF, DKIM, and DMARC to prevent email spoofing and enhance security.
• External Email Banner: Apply a banner to all externally received emails, informing of the threat they could bring and make use of a “First Contact Safety Tip” informing the user that this is the first contact from that email, preventing email hijacks from typo-squatted domains.
• Multi-Factor Authentication (MFA): Implement MFA for email accounts and critical applications to add an extra layer of security. Require something they know (password), something they have (verification code/token), and optionally something they are (biometric data). For privileged accounts phishing resistant MFA can be enabled, this will show the user where their sign in attempt is being used to further confirm that a sign-in is legitimate.
• Access Control and Privilege Management: Limit access to sensitive data and systems. Use MFA for critical systems and regularly review and update user access.
• Conditional Access: Define and enforce access policies based on conditions and user attributes. Include policy definition, user authentication, device compliance checks, IP geolocation, risk-based assessment, Azure AD integration, and real-time monitoring/reporting.
• Regular Security Audits: Conduct audits and vulnerability assessments. Update and patch software regularly.
• Employee Training: Provide cybersecurity training to increase awareness of threats like phishing, malware, and social engineering. Train employees to recognize and report suspicious emails.
• Entra Configuration: Several settings in Entra can be configured to prevent normal users from taking typically administrator actions such as registering applications, creating tenants, viewing the admin centre, and guest account permissions. These are often not configured by default and should be reviewed to ensure security.
  
• Principle of Least Privilege: Ensure only accounts that require elevated permissions have them, and where possible, ensure these accounts do not have mailboxes to prevent phishing attempts.
• Logging and Alerting: Ensuring that a logging and alerting solution is in place in critical in detecting and remediating potential malicious events. Using a SIEM and 365 monitoring compromises can be alerted to and remediated as and when it happens. Should any indication of compromise be detected, it is alerted to and remediated immediately.