- An attacker steals executives' credentials by impersonating DocuSign
- Using the stolen credentials, an attacker goes through the corporate emails and files, looking for any correspondence about upcoming transactions
- An attacker sets up a fake company bank account
- An attacker sends an email thread asking to change the recipient's bank account due to technical issues
A sophisticated business email compromise (BEC) campaign targets CEOs and CFOs to drain millions from corporate accounts.
It all starts with a phishing email crafted specifically for an individual executive in the organization. If they swallow the hook, criminal masterminds conduct reconnaissance of the victim’s environment and carefully craft an attachment to redirect corporate transactions.
Israeli cybersecurity Startup Mitiga says this is a widespread campaign targeting large transactions of up to several million dollars each.
“The attackers combine high-end spear-phishing with an adversary-in-the-middle (AiTM) attack to circumvent multi-factor authentication (MFA) and a Microsoft 365 design flaw that allows them to create access persistency with MFA,” the company said.
In one case, a third party responsible for conducting the transaction received a fraudulent email saying that the company’s account was frozen due to an ongoing quarterly financial audit and adding that it would temporarily use another account.
The thread was regarding an ongoing transaction and contained all the recent messages with a “Reply All” option, making it seem legitimate. The fake email did not only contain the entire original thread but also included all the original recipients.
Or it only seemed so, as cybercriminals, in fact, created similar fake domains and users on those domains in a way that would be barely visible to avoid raising suspicion. For example, scammers impersonated Foobar (the company receiving the funds in the transaction) by creating a fake domain, F00bar.
Mitiga’s investigation concluded that criminals compromised one of the executives, who was on the email thread regarding the transaction account. In this case, the user’s password was reset, and all the sessions were revoked. However, if the threat actors were successful, the involved parties could have sufferedmillions in losses. Attackers created an account in Singapore, hoping to successfully redirect the legitimate transactions and steal the funds.
How does, in the first place, an executive’s account get compromised?
The victim (a high-ranking executive in this case) receives an email impersonating the e-signature service DocuSign. This scam, targeting C-Suite using Office 365, has been around for quite some time. Fooled by a request to sign a document, the victim is then taken to the threat actor’s site, which simulates a redirect to the M365 single sign-on login page.
“The victim types in their username and password, which are proxied directly to M365 on the session between the threat actor and Microsoft. The authenticator app on the victim’s phone requires second-factor verification of the newly created session. A valid session is created for the attacker as the victim approves the login. The victim is then redirected to a benign-looking error message,” Mitiga detailed.
And here you go, the attacker now uses the newly created session to roam around the Office 365 environment, reading emails and investigating files. Threat actors scout for correspondence related to upcoming transactions to attempt to steal corporate funds.
“Attacker uses a design flaw in M365 MFA to create a new Authenticator app for the compromised user. This circumvents various potential security controls, including identity protection and session expiration, by completely eliminating the protection provided by MFA going forward for this account! It also allows the attacker to transfer the credentials,” Mitiga said.
More from Cybernews:
Subscribe to our newsletter