Investigation into a Business Email Compromise Attack
The client, whom we refer to as GL is a leader in hospitality industry with a portfolio of over 30 brands across 100 countries. GL works with a number of vendors to run its day-to-day operations worldwide and process a high volume of monthly transactions. GL's Managing Director lost his mobile phone during an overseas business trip. Afterwards, a total of four fraudulent emails that pretended to have come from a vendor were sent to GL throughout eleven months. Every message used some form of payment request based on a fraudulent PDF.
Pragma investigated each email incident separately to determine the attacker's course of action. It revealed the attacker's progress as well as the client's continued exposure to attack. Subsequent attacks were launched from other email addresses, indicating the attackers may have gained a foothold in the vendor's systems.
Pragma helped GL strengthen their security further by identifying high-risk O365 users. These users were signed out of their accounts and required to create new passwords. Multi-Factor Authentication (MFA) was implemented for all users.
After completing the analysis and finishing these steps, Pragma assured the client their email was secure. No ongoing unauthorised access could be detected.
Pragma's investigation and actions were concluded within one day. Pragma CIRT secured the accounts and eliminated further fraud, the client was able to contact their bank and have the transactions reversed. We recommended the following:
- Updated Firewall Rules
- Endpoint Security
- Passwords and Access
- Mailbox Rule Review
- Password Strengthening
- Active Directory Lockout