A recent investigation by Microsoft"s Security Intelligence team found that threat actors behind business email compromise (BEC) attacks are now moving faster. They found that the entire process can take just a few hours, which is likely a way to ensure that victims will have fewer opportunities to identify the attack and take the necessary measures in time.
For those who don"t know, BEC is a type of cybercrime wherein a scammer uses email to impersonate a company executive and trick an employee into divulging confidential information or wiring money to their bank account. According to the FBI 2021 Internet Crime Report, global losses from BEC attacks between July 2019 and December 2021 increased by 65% over the previous year, and account for 35% of all losses due to cybercrime.
The BEC attack Microsoft recently investigated started with the threat actor conducting an adversary-in-the-middle attack to steal the target’s session cookie and bypass multifactor authentication. Once they gained access to the victim"s account, they spent some time looking for email conversations to hijack. By hijacking email threads, the threat actors can establish trust with recipients because the email appears to be a continuation of a previous conversation.
After this, the threat actor registered deceptive domains that appear to be similar to the ones that the victim"s organization uses. Then, they created an inbox rule that moves emails from the organization to a specific folder to hide the emails from the organization.
One minute later, the attacker sent an email to the victim"s business partner asking for a wire transfer instruction change. They immediately deleted the email after it was sent to make it less likely for the compromised user to discover the breach.
In total, it took the threat actor about 2 hours and 7 minutes from the time they signed in to the victim"s account to the time they deleted the email. Fortunately, Microsoft says that its Defender program generated a warning about BEC financial fraud 20 minutes after the cybercriminal deleted their email. The program also automatically disrupted the attack by disabling the victim"s account.
Microsoft added that Defender has already disrupted a total of 38 BEC attacks across 27 organizations. This is possible thanks to the platform using high-confidence eXtended Detection and Response (XDR) signals across endpoints, identities, email, and SaaS apps.
Source: Microsoft