Microsoft disrupted large-scale BEC activities worldwide


Attackers use cloud-based infrastructure to locate mailboxes and add forwarding rules to understand financial transactions.

Microsoft has disclosed the details of how it disrupted large-scale commercial email intrusion (BEC) infrastructure hosted across multiple Web services, a strategy that allows attackers to fly under the radar.

The recent wave of high-profile ransomware attacks may be the top consideration for business leaders, but BEC is still a prolific and costly corporate problem. The FBI’s Internet Crime Complaint Center (IC3) reported that there were 19,369 BEC frauds in 2020, with losses of approximately US$1.8 billion, and the total losses caused by cybercrime in the year exceeded US$4.1 billion.

Researchers from the Microsoft 365 Defender research team wrote in a blog post about the interruption of BEC activities that part of the reason for the success of BEC activities is their secrecy. These attacks have a small footprint, produce low signals, do not appear on the defender’s alert list, and are often mixed with the typical noise of corporate network traffic.

“The attackers performed discrete activities for different IPs and time ranges, making it more difficult for researchers to associate seemingly different activities into a single operation,” they said of the challenges of analyzing this particular operation.

The researchers traced this activity to a phishing attack, in which criminals steal user credentials to log in to a target mailbox and create forwarding rules that allow them to access emails about financial transactions. Before creating the forwarding rule, the target mailbox received a phishing email with voicemail decoys and HTML attachments. The researchers pointed out that these emails came from the address space of an external cloud provider.

This HTML file contains JavaScript, which decodes a fake login page designed to look like a Microsoft login page and fills in the full username. The victim who entered the password will see an animation before the “File not found” message appears. All along, their credentials have been sent to the attacker using a redirector, which is also hosted by an external cloud provider.

Throughout the investigation process, researchers found hundreds of hacked mailboxes in multiple companies. If the email has an “invoice,” “payment,” or “statement,” all forwarding rules are configured to send the email to one of the two attacker-controlled accounts. The attacker also added a rule to delete forwarded emails from the victim’s mailbox.

BEC criminals set their sights on the cloud
Microsoft’s analysis showed that the campaign was run on a “robust” cloud-based infrastructure that was used to automate attacker operations, including finding high-value targets, adding forwarding rules, monitoring target inboxes, and Process the emails they track.

In this case, the attacker deliberately tries to make it difficult for the defender to realize that their activities are part of a single activity—for example, they run different activities for different IPs and time ranges. However, the researchers pointed out that the attack was carried out from a specific IP address range.

The researcher wrote: “We observed the above activity from the IP address range belonging to the external cloud provider, and then saw fraudulent subscriptions sharing a common pattern with other cloud providers, allowing us to have a more comprehensive understanding of the attacker’s infrastructure.”

They explained how an attacker can use a working structure in a virtual machine, where each VM only performs a specific operation, which is why the activity comes from different IP sources. The attackers also set up DNS records that look similar to existing company domains, so they are mixed with email and can be used for targeted phishing campaigns.

The researchers pointed out that this study emphasizes how BEC attackers can use a high-reputation IP range to mix with legitimate traffic and ensure that their attack steps are carried out at different times and places, thereby investing more time and energy to avoid detection.

When they learned how the attackers used cloud service providers in this campaign, Microsoft’s Digital Crime Unit (DCU) worked with the Microsoft Threat Intelligence Center (MSTIC) to report its findings to the cloud security team so that malicious accounts could be suspended and The infrastructure was demolished.

Kelly Sheridan is a full-time editor of Dark Reading. She focuses on cybersecurity news and analysis.She is a business technology journalist who previously reported on Microsoft for InformationWeek, where she reported on finance… View full bio

Recommended reading:

More insights

Related Articles

Back to top button