Researchers at Microsoft’s Defender 365 security division reported they had disrupted cloud-based infrastructure that was used by scammers to carry out a massive business email compromise (BEC) campaign.
The attackers used phishing to compromise email accounts and exfiltrated sensitive information by setting up forwarding rules to reroute emails to their inboxes.
The use of infrastructure hosted with multiple web services allowed attackers to operate stealthily:
“The use of attacker infrastructure hosted in multiple web services allowed the attackers to operate stealthily, characteristic of BEC campaigns,” Microsoft 365 Defender Research Team’s Stefan Sellmer and Microsoft Threat Intelligence Center (MSTIC) security researcher Nick Carr explained. The attackers performed various activities for different IPs and timeframes when carrying out their attacks to make it harder for researchers to identify patterns and similarities in their attacks, Microsoft researchers said. Nevertheless, Microsoft has uncovered the entire attack flow by analyzing a recent BER incident.
The attackers’ chain involved establishing initial access to the victim’s mailbox, gaining persistence, and finally stealing data using email forwarding rules. They stole credentials by sending phishing messages that appeared to be Microsoft landing pages.
While it is not possible to prevent the use of stolen credentials with multi-factor authentication (MFA), Microsoft has found that attackers used legacy protocols, such as IMAP/POP3 to circumvent MFA authentication for Exchange Online accounts, if the victim didn’t turn off legacy auth.
“Credentials checks with user agent “BAV2ROPC”, which is likely a code base using legacy protocols like IMAP/POP3, against Exchange Online. This results in an ROPC OAuth flow, which returns an “invalid_grant” in case MFA is enabled, so no MFA notification is sent.”
The attackers used cloud infrastructure to automate their operations at scale. These included “adding the rules, watching and monitoring compromised mailboxes, finding the most valuable victims, and dealing with the forwarded emails.”
The scammers used multiple IP address ranges to hide their identities and created DNS records that almost matched their victims’ so that their activity would evade detection.
Even though BEC scams are not new, they have become more prevalent in the past couple of years. These attacks have been causing record financial losses every year since 2018.