Conducting a Forensic Investigation into a Business Email Compromise Attack
The client is a leading Energy as a Service (EaaS) provider to high-quality commercial and industrial customers. They deliver, operate, and maintain distributed energy solutions in eight countries, adopting the EaaS operating model. The client was in the middle of a business deal when a business email compromise happened on their system. Overseas logins appeared in the client's email account. Pragma security experts began an in-depth investigation to understand how the Threat actor had gained access to the systems and what possible malware was involved.
Pragma worked closely with them until the Threat actors were entirely eradicated from their system. They implemented some of the most innovative techniques to eliminate the threats and return the client's systems to normal. Pragma followed a phased approach to scope and completed this engagement. Pragma interviewed the client for a preliminary incident assessment and high-level information gathering. The process:
Data Collection: We collected data from O365 accounts and associated systems, including email, OneDrive, SharePoint, and other data sources. We exported data using forensic tools or utilising Microsoft's eDiscovery feature.
Data Preservation: We collected and preserved data in its original state to maintain its integrity and authenticity.
Data Analysis: We analysed the collected data using forensic tools and techniques, including keyword searches, email thread analysis, and metadata analysis, to identify relevant information. We analysed the client's Microsoft O365 logging configuration.
Reporting: We prepared a detailed report of the findings, including a description of the data analysed and the analysis results.
Pragma also performed a dark web exposure scan, O365 security review, and workstation analysis.
Pragma recommended various measures to prevent future attacks or violations. By implementing our recommendations, the client can minimise their security risks and provide their customers with a high level of confidence regarding their security.