Aviation Executives Targeted in Phishing Scam Leveraging Fake Microsoft 365 Login Pages for BEC

• BEC scam: Fake Microsoft 365 login pages harvested credentials and finance-related emails from aviation executives.
• Scheme details: Hackers edited official invoices they accessed and sent them to the company's customers and collaborators.
• Why it matters: The attacker syphoned large amounts of money using a spoofed domain that seemed legitimate.

A recent aviation phishing scam has exposed the vulnerability of the aviation and transportation sectors to advanced business email compromise (BEC) tactics. Cybercriminals are exploiting executive email accounts to deceive customers and partners into transferring substantial funds.  

How the Scam Operates  

This scheme typically begins with executives being lured into submitting their credentials via fake Microsoft 365 login pages, Brian Krebs said on his computer security and cybercrime website, KrebsOnSecurity, based on a tip sent by a transportation industry worker.

Once access is gained, attackers harvest email threads related to financial transactions. Leveraging this information, they construct fraudulent invoices and send them to customers from a newly registered look-alike domain designed to mimic legitimate company addresses within hours of gaining access.  

The sense of urgency created in these emails pushes recipients to act hastily, often bypassing routine validation procedures. For example, one victim company reported a six-figure loss when a customer paid a counterfeit invoice sent from a spoofed domain.  

The email address attached to the imposter domain is reportedly linked to at least 240 domains registered in 2024 or 2025, which impersonate aerospace and transportation companies worldwide.

Krebs mentions that a 2020 blog post on the Russian forum Hackware linked the said email address to a phishing attack that used false invoices to steal credentials via a fake Microsoft login page.

Phishing Prevention Tips  

Organizations can adopt Palo Alto Networks‘ Unit 42 list of recommendations to minimize the incidence and impact of these attacks, including becoming familiar with the “financial fraud kill chain” (FFKC), which could help recover funds lost in BEC scams. In 2024, Interpol recovered $40 million stolen from a Singapore company in a BEC scam.