Responding to Office 365 Business Email Compromise

With more than 50% of all global businesses already using Office 365 and demand going strong, cybercriminals have been targeting these accounts as they are the perfect gateway to any organisation and data. In a recent report, 1.5 million malicious and spam emails were sent from thousands of compromised Office 365 accounts in March 2019 alone.

At Pragma, our Incident Response department has investigated various Office 365 attacks. Apart from phishing emails, our team witnessed stolen passwords from the same user's personal account, brute force attacks and credential stuffing.

In this article, we take you through a case study of a common Office 365 Business Email Compromise attack (O365 BEC), where a cybercriminal hacked into a vendor's account to trick its victim into depositing funds based fake invoices.

The Incident

When an Accounts Director at an International Estate Agent company received an email message about a voicemail from a recognised contact, they clicked the link to see a recognisable Office 365 website. After logging into their account, the link had expired, so they didn’t think much of it.

A month later, after making several payments to creditors, as was perfectly normal, they discovered that the money had been sent to the wrong bank account, and the balance was still outstanding. Worse still, the creditor cut off their services due to lack of payment leaving them unable to conduct basic functionality. Only when the victim raised an issue regarding the removal of services was it identified that payment had been made to a fraudster.

Pragma Investigates

Pragma was engaged to investigate the incident, and immediately began remote analysis on the affected user’s account. It was quickly identified that the ‘Threat Actor’ had gained access to the account nearly one month earlier and had placed inbox rules on the account which resulted in emails from the service provider to the victim being immediately marked as read and forwarded to the ‘archive’ folder.

The Threat Actor has registered a domain in a name almost un-noticeably different to the true creditor, and from an email extremely similar to the true email address, began to converse about payments that were due soon.

Once the bill was due, the Threat Actor tricked the victim that they had been a victim of a bank account compromise and advised them not to make any payment until new bank details were provided. These followed a day later, and the victim unknowingly settled the bill to the Threat Actor.

Next Steps

• Pragma immediately worked with the IT service provider to remove the malicious inbox rules and assisted in ensuring that the Threat Actor was expelled from the account.
• The entire organisation’s O365 tenant was scanned to identify indications of further malicious activity.
• A review of email activity was conducted to identify any other communication ongoing from the Threat Actor using alternative email addresses to obtain further payment.
• Root cause analysis was carried out to locate the cause of the incident and ensure that no other colleagues had fallen victim to the same attack.
• A subsequent review of Personally Identifiable Information (PII) was also required to identify what information had been available to the Threat Actor during the attack. This was required in the reporting of the incident to the relevant bodies and the Information Commissioner's Office (ICO).

Are you affected by an O365 attack?

If you suspect or experience a similar incident, do not hesitate to get professional help. The Threat Actor may still be in your system causing further damage.

Reach out to our Incident Response specialists at [email protected] or contact us here.