Microsoft 365 Defender Researchers Disrupted Large-Scale BEC Campaign

  • Microsoft’s researchers have uncovered a large BEC operation ran by diligent and careful actors.
  • The group of hackers relied upon multiple cloud infrastructure providers and spread their activities thin for stealthiness.
  • The compromise started with a phishing email claiming to contain an important voice message for the recipient.

Microsoft’s 365 Defender team has announced the disruption of a large-scale BEC (business email compromise) campaign, using cross-domain threat data to identify and stop the malicious operation. The attackers used cloud-based infrastructure to compromise the target mailboxes by using credentials they stole through spear-phishing and added forwarding rules, eventually accessing valuable financial transaction information.

More specifically, the actors relied upon multiple web services in order to operate stealthily, using different IPs and timeframes to raise the minimum possible number of flags. This approach is also hampering the efforts of white-hat researchers, who find it quite hard to correlate the various activities and connect the fragments into a complete picture pointing to a single actor. Of course, Microsoft’s team has enough data collection and analysis points to be able to identify even the most diligent and careful BEC actors.

Source: Microsoft

The phishing attack takes place through the typical voice message notification that we have seen many times before. The HTML attachment that comes with these emails contains JavaScript that dynamically decodes to pop up a phony Microsoft sign-in page that automatically populates the username to trick the recipient.

If the victims enter their credentials, they get a login animation and then a “File not found” error. Their password is still transmitted to the crooks in the background, though.

Source: Microsoft

The next step is to set the email forwarding rules, now receiving sensitive data without the victims having realized the breach. The forwarding conditions concern the inclusion of terms like “invoice,” “payment,” and “statement” in the mail body, so the actors are only interested in financial information and the diversion of the transactions.

Source: Microsoft

Even though the actors used different cloud-based infrastructure for their operations, Microsoft’s researchers were able to identify the following commonalities in the user agents:

  • Credentials checks with user-agent “BAV2ROPC”, which is likely a codebase using legacy protocols like IMAP/POP3, against Exchange Online. This results in an ROPC OAuth flow, which returns an “invalid_grant” in case MFA is enabled, so no MFA notification is sent.
  • Forwarding rule creations with Chrome 79.
  • Email exfiltration with a POP3/IMAP client for selected targets.

Also, all of the above activities came from a specific set of IP address ranges, so Microsoft could identify cloud providers. Then, from correlating the same pattern of activities and attack methods, they were able to link the operation to other accounts on more providers, so the veil was lifted.

REVIEW OVERVIEW

Latest

Is It Okay to Charge iPhone 13, Mini, Pro, or Pro Max Overnight?

Without any doubt, there are plenty of misconceptions about charging iOS devices. That’s even more true now since this year’s iPhones have the...

Is It Okay to Play Games While Charging iPhone 13? 

The iOS App Store offers more than one million games. Your options are practically limitless, with console-like games taking full advantage of iPhone 13’s...

Is It Bad to Use iPhone 13 While Charging? 

The latest iPhone generation comes with the longest battery life yet, managing to provide up to 2.5 extra hours of use. With that said,...
For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: Chrome, Edge, Firefox, Safari