Business Email Compromise (BEC) attackers are more stealthy than ever before.
That is the finding of Microsoft 365 Defender researchers, who recently uncovered and disrupted a large-scale BEC campaign.
By making use of multiple cloud-based systems, the attackers were able to operate covertly. They were able to carry out discrete activities using different IP addresses at different times. This made it exceedingly challenging for the cyber security researchers to identify and correlate seemingly disparate activities, that were actually all part of a single operation.
Despite this, the team at Microsoft successfully identified crucial patterns that shone a spotlight on the attackers’ activities. What they discovered was that attackers were using cloud-based infrastructure to compromise mailboxes via phishing and then adding automated email forwarding rules.
The role of phishing in compromising email accounts is well known. What’s less well known are the tactics used by BEC attackers once they gain persistent access to an email client.
When it comes to launching highly targeted BEC attacks, the more information in the attacker’s possession, the more successful they are likely to be in deceiving Accounts Payable (AP) staff. That’s why the most sophisticated BEC attackers take their time and conduct extensive reconnaissance.
During this time, they can maintain persistent access to an organisation’s email client in order to monitor the patterns of behaviour and communication of key personnel, such as an organisation’s CEO or CFO. They can also identify financial transactions, pending invoices and supplier relationships. All this data can ensure a BEC attack is more realistic and therefore more likely to succeed.
Microsoft’s researchers noticed that a key tactic employed by BEC attackers was to engage in data exfiltration through the use of automated email forwarding rules.
The attackers would set up rules in email clients, such as Outlook. Any email in which the body contained the words ‘Invoice’, ‘Payment’ or ‘Statement’ would automatically be forwarded to the attackers.
These forwarding rules allowed attackers to redirect financial-themed emails to attacker-controlled email addresses. The attackers also added rules to delete the forwarded emails from the original mailbox to stay stealthy.
The depth and breadth of visibility achieved by Microsoft’s researchers was critical in detecting and stopping the BEC attackers, because they were operating with a minimal footprint. They created very low signals that were not being picked up by the regular monitoring conducted by cyber security teams. The attackers were able to blend in with the usual noise of corporate network traffic.
What Microsoft’s research shows is that BEC attackers can gain persistent access to email accounts and can remain there undetected for long periods of time. During this time, they are able to conduct extensive reconnaissance, ensuring that when the time comes to launch a BEC attack, they can do so in a highly realistic manner that successfully deceives even the most experienced AP staff.
The attackers will only be detected once they cause real monetary losses.
According to Microsoft’s researchers, BEC attackers can remain undetected for extensive periods of time because cyber security teams only have partial or limited visibility that is provided by existing security tools. These tools often don’t provide the level of comprehensive visibility that is required into email traffic, identities, endpoints, and cloud behaviours. Nor do they easily enable cyber security teams to combine together isolated events in order to deliver a more sophisticated cross-domain detection approach.
Armed with intelligence on phishing emails, malicious behaviour on endpoints, activities in the cloud, and compromised identities, Microsoft researchers were able to connect the dots, gain a view of the end-to-end attack chain, and trace activities back to the infrastructure.
However, this level of detection and analysis is often beyond the capabilities of busy cyber security teams within an organisation. Cyber security personnel are too busy keeping up with routine tasks, such as patching and high-level traffic monitoring. They simply don’t have the time or resources to engage in the level of deep forensic investigations that Microsoft’s researchers were able to undertake in this instance.
With eftsure embedded in your accounting systems, it doesn’t matter if your internal cyber security team lacks the tools and resources to block all BEC attempts.
Rather than relying on tools to identify increasingly stealthy BEC attackers, eftsure gives you visibility into whether you’re processing funds to the intended recipient in real-time at the point of payment. Our unique fraudtech platform verifies the banking details you are using to process funds to a supplier against a database containing nearly 2 million Australian organisations. This gives you assurance that other organisations are using matching banking details when paying the same supplier.
So, even if BEC attackers have managed to evade your cyber security team, infiltrate your environment and engage in email manipulation, you will still be protected.
Contact eftsure today for a no-obligation demonstration of how you can stay protected from increasingly stealthy BEC attackers.