Microsoft’s security intelligence team recently investigated a business email compromise (BEC) attack and found that attackers move quickly, with some steps taking just minutes.
The entire process, from logging in with compromised credentials to typosquatting domain registration to hijacking an email thread, took the attackers just a couple of hours.
This rapid progression of the attack ensures that targets will have minimal opportunity to identify signs of fraud and take preemptive action.
A multi-million dollar problem
BEC attacks are a type of cyberattack in which the attacker gains access to a target organization’s email account through phishing, social engineering, or purchasing account credentials on the dark web.
The attacker then poses as a trusted person, such as a senior executive or vendor, to trick an employee working in the finance department into approving a fraudulent wire transfer request.
According to FBI data, from June 2016 to July 2019, BEC attacks generated more than $43 billion in losses, and this refers only to cases reported to the law enforcement agency.
In a twitter threadMicrosoft analysts explain that a recently investigated BEC attack began when the threat actor performed an “adversary in the middle” (AiTM) phishing attack to steal the target’s session cookie, bypassing MFA protection.
The attacker logged into the victim’s account on January 5, 2023 and spent two hours searching the mailbox for good email threads to hijack.
Thread hijacking is a highly effective technique that makes the fraudulent message appear to be a continuation of an existing communication exchange, making it much more likely that recipients will trust it.
After that, the attacker registered deceptive domains using homoglyphic characters to make them appear almost identical to the sites of the target organization and the impersonated partner.
Five minutes later, the attacker created an inbox rule to divert emails from the associated organization to a specific folder.
Within the next minute, the attacker sent the malicious email to the trading partner requesting a bank transfer instruction change and immediately deleted the sent message to reduce the likelihood of the compromised user discovering the breach.
From the first login to the deletion of the sent email, a total of 127 minutes had passed, reflecting an onslaught by the attacker.
Microsoft 365 Defender generated a BEC financial fraud warning 20 minutes after the threat author deleted the sent email and automatically terminated the attack by disabling the user’s account.
“In our testing and evaluation of BEC detections and actions in customer environments facing real-world attack scenarios, dozens of organizations were better protected when accounts were automatically disabled by Microsoft 365 Defender,” Microsoft says.
“The new automatic shutdown capabilities leave the SOC team in full control to investigate all actions taken by Microsoft 365 Defender and, when necessary, repair the remaining affected assets.”
Microsoft says its security product has disrupted 38 BEC attacks targeting 27 organizations using high-confidence extended detection and response (XDR) signals across endpoints, identities, email, and SaaS applications.