The Evolution of Business Email Compromise

May 7, 2023

Introduction

Over the past months, we have provided support to multiple organizations that have fallen victim to Business Email Compromise (BEC) attacks. In this blog we would like to share some of the latest Tactics, Techniques & Procedures (TTPs) we observed during a specific BEC investigation in a Microsoft 365 environment. We hope that this information will be helpful to other incident responders and organizations working on similar cases.

Acquisition

During the investigation, we utilized the Microsoft-Extractor-Suite to collect all relevant evidence, and then analyzed it using the Splunk Blue team app for Microsoft365 & Azure. You can also extract the logs and feed it into your own platform of choice.

Initial Access

The typical modus operandi of Business Email Compromise attacks involves a user falling victim to a phishing email. The email contains a link to a legit looking Microsoft website, which is in fact controlled by the threat actor. The same thing happened and below is a screenshot of the phishing page.

After logging in the threat actor waited around 12 hours to access and validate the credentials, after which several emails were accessed.

The access was mostly via VPN related and Nigerian based IP-addresses, see full list in the Indicators Of Compromise (IOC) section.

MITRE technique:

Privilege Escalation & Lateral Movement

The account that was initially compromised wasn’t particularly interesting from a threat actor perspective as it didn’t have access to emails related to payments or privileged access. The threat decided to shift focus to other employees in the company using internal phishing

A phishing email was sent to the entire company, which eventually alerted our client to the breach. The email contained a link to a seemingly “shared” document.

The link leads to another fake Microsoft login page:

The internal phishing email led to two additional victims. For both victims, logins were observed from a Nigerian based IP-address:

  • 102.88.63[.]242

One of the compromised accounts had the Exchange Administrator Role which allowed for Privilege Escalation.

To cover their tracks, the threat actor deleted the phishing email from the compromised account and also purged it.

Tip: If you ever find yourself needing to recover a purged email, you can use the following command to restore it to the user’s mailbox:

Restore-RecoverableItems -Identity user@email.com -SubjectContains “subject-of-email”

This can only be done by users with a special role, and within 14 days of purging.

MITRE techniques:

  • Valid Accounts: Cloud Accounts [T1078.004]
  • Internal Spearphishing [T1534]

Persistence

At this point the threat actor managed to obtain access to three unique accounts and one with Exchange Administrator privileges. With administrator access, the threat actor was able to perform some interesting techniques.

Delegated access
First the threat actor granted himself full access to the mailboxes of two other users by taking advantage of the victim’s Exchange Admin Role. The attacker also added Send as and Send on behalf permissions to the compromised accounts, effectively gaining full access to two additional mailboxes without the need for any additional credentials. The actor proceeded to read emails from these mailboxes.

Tip: If you want to know what emails were accessed by a threat actor. First filter for the MailItemsAccessed operation and then use the value(s) in the InternetMessageIdfield to identify what email was accessed.

Additionally, the threat actor sent an email to one internal and two external recipients. It is unclear why these particular recipients were chosen or why the message only contained the word “hello”.

Other interesting activity

The threat actor also performed another interesting action, which is not recognized as part of a specific phase or a MITRE ATT&CK Technique.

New inbound connector
After gaining access to the privilege account, the threat actor created a new inbound connector (reference). This is not a well-known technique, however there are a few references on internet by Argonsys and Microsoft.

After gaining access to the Exchange Admin Role, the threat actor created a new inbound connector named “”365” which allowed emails from the attacker’s infrastructure IP-address, to flow through the victim’s Exchange server. Later, an additional IP-address was added to the connector::

  • 83.137.157[.]180 (offline)
  • 194.163.164[.]133 (active)

We suspect this connector was created to be used as an email relay for further phishing or spam campaigns by the threat actor. If the email is originating from a legitimate Microsoft 365 environment, the chances of it being blocked or detected by email security solutions is much lower.

At the time of writing the 83.* address is offline, however the other one starting with 194.* is online and currently hosting a Windows machine (Shodan). The system has RDP exposed to the internet, so either this is a system belonging to the threat actor or a compromised machine that’s used as a relay itself.

Shortly after setting up the connector, the threat actor was detected and their access was revoked.

MITRE technique:

  • Account Manipulation: Additional Email Delegate Permissions [T1098.002]
  • New Inbound Connector [No MITRE TTP]

Detection

Most of the analysis was done using the Unified Audit Log which records events for 90 days by default. Below an overview of the relevant Operations this information can be used to improve your defenses and to detect malicious behaviour.

Recommendations

Below are some recommendations for organizations to prevent and respond to Business Email Compromise (BEC) attacks:

1. Provide regular cybersecurity awareness training to employees
Employees are the first line of defense against BEC attacks. They should be trained on how to spot phishing emails, how to verify the authenticity of links and attachments, and how to report suspicious activity.

2. Use multi-factor authentication (MFA) for all accounts
MFA adds an extra layer of protection to accounts and can prevent attackers from gaining access even if they have stolen a user’s login credentials.

3. Disable legacy authentication protocol when appropriate
Legacy authentication protocols, such as POP3, IMAP, and SMTP, are susceptible to security vulnerabilities since they lack the capability to enforce second-factor authentication for MFA. However, in some cases, an organization may require the use of older email clients for business reasons, which may necessitate the use of legacy protocols. In such cases, it is important to limit access to these protocols to only the necessary users and to implement additional security measures, such as regularly changing passwords, to mitigate the risks associated with using these protocols.

4. Ensure the UAL is enabled
It is crucial for an administrator to enable the Unified Audit Log (UAL) in the Security and Compliance Center. The UAL serves as a centralized repository for all Office 365 events, making it an essential source of evidence. It should be on by default, but please double check using the Get-AdminAuditLogConfig |Format-List UnifiedAuditLog* command.

5. Block mail forwarding to external domains
Blocking forwarding rules is an effective way to prevent unauthorized access to sensitive information by external parties or internal users. This can help minimize the risk of data leakage and protect against monitoring activities by malicious actors, thereby reducing the potential for further loss of valuable intelligence.

If you found this blog useful, consider sharing or commenting for broader visibility.

📧 Questions or suggestions contact us at info@invictus-ir.com

Indicators of Compromise

  • 31.171.154[.]52
  • 31.171.154[.]56
  • 217.21.78[.]103
  • 216.24.219[.]87
  • 216.24.219[.]74
  • 173.255.171[.]99
  • 173.255.171[.]98
  • 156.146.36[.]75
  • 146.70.185[.]159
  • 146.70.185[.]137
  • 146.70.119[.]126
  • 102.88.63[.]89
  • 102.88.63[.]65
  • 102.88.63[.]242
  • 102.88.63[.]234
  • 102.88.63[.]165
  • 102.88.62[.]71
  • 102.88.62[.]148
  • 102.88.35[.]79
  • 102.88.35[.]62
  • 102.88.35[.]58
  • 102.88.35[.]229
  • 102.88.34[.]74
  • 102.88.34[.]250
  • 102.88.34[.]248
  • 102.88.34[.]236
  • 102.88.34[.]21
  • 102.88.34[.]146
  • 102.88.34[.]133
  • 102.88.34[.]109
  • 102.88.34[.]108
  • 194.163.164[.]133
  • 192.236.192[.]205
  • 105.112.177[.]103
  • 83.137.157[.]180
  • 27.109.115[.]145