2022-10-11

Leveraging Exchange Telemetry in O365 Mailbox Attack

Level: 
Tactical
  |  Source: 
Red Canary
Cybersecurity
Share:

Leveraging Exchange Telemetry in O365 Mailbox Attack

Red Canary's threat research article shared an email compromise campaign with attackers aiming to set up payroll diversion fraud. The scenario outlined involved "the adversary compromises an email account and abuses their access in an attempt to update that user’s direct deposit information by corresponding via email with payroll department, forwarding relevant correspondence into a rarely used folder to evade notice, and eventually—if successful—routing the legitimate user’s paycheck into the criminal’s bank account." Defenders can leverage detection analytics focused on Office365 logins and in quick succession mailbox tampering with a high number of emails accessed and/or threat actors creating forwarding rules for persistence and automatic data exfiltration. The attack sequence occurred within 12 minutes from the attackers logging in to accessing mailbox items, creating inbox rules, and sending a fictitious direct deposit update request to the victim's HR department.

Get trending threats published weekly by the Anvilogic team.

Sign Up Now