An Ongoing Campaign of BEC Attacks

A chain of phishing emails, culminating in a business email compromise (BEC), have served as a launching pad for subsequent attacks, resulting in a complex and widespread global campaign. Sygnia's incident response team provides insights into a large-scale BEC attack featuring an Adversary In The Middle (AiTM) which was discovered through a IR engagement taking place earlier this year. The initial email was identified from one of their client's employees who had received a phishing email appearing to have been sent from a legitimate mailbox associated with an external company, an indication of a possible compromise of that company's account as well. "Based on Sygnia’s findings from the investigation, the phishing mails spread in a worm-like fashion from one targeted company to others and within each targeted company’s employees. All analyzed emails contain the same structure, only differing in their title, senders’ account and company, and attached link," said Sygnia.

When the phishing link was clicked, the user is brought through redirects and a CAPCHA check to ultimately land on a fraudulent Office365 login page. "Once the victim entered his credentials, an ‘AiTM’ attack was initiated automatically by the phishing kit. After forwarding authentication data the session token was stolen and used for successful login to victim’s Azure environment," said Sygnia. From review Office365 unified access logs, the attacker's login was recorded and originated from  Australia however, the attacker likely used a VPN service to mask their location. Following a successful login, they added their own multi-factor authentication (MFA) device to achieve persistence.

Having gained unauthorized access to the user's account through the initial business email compromise (BEC), the attackers can subsequently replicate the process, compromising additional accounts and expanding their reach. "A new phishing attack wave was initiated by the threat actor, sending emails from the compromised account to hundreds of external mailboxes as well as dozens of internal employees’ accounts. This time, the mail sender impersonated with the new company name and compromised account and attached a newly created link," said Sygnia.