Reportedly, the Microsoft 365 Defender researchers have disrupted the cloud-based infrastructure utilized by scammers behind a recent business email compromise campaign.
Under this campaign, the attackers managed to compromise targeted mailboxes through phishing and exfiltrated various sensitive information in email matching forwarding rules, that allows them to gain access to messages regarding financial transactions.
According to Nick Carr, the Microsoft Threat Intelligence Center security researcher, “The use of attacker infrastructure hosted in multiple web services allowed the attackers to operate stealthily, characteristic of BEC campaigns.”
He also said, “The attackers performed discrete activities for different IPs and time frames, making it harder for researchers to correlate seemingly disparate activities as a single operation.”
The researchers of Microsoft revealed the complete attack flow behind a recent BEC incident, from the initial access to victim’s mailboxes to gain persistence and stealing data through email forwarding rules.
The login credentials was stolen through phishing messages which redirected the target users to landing pages which seems to be like Microsoft sign-in pages, and asks them to feed their personal details.
Although, the stolen credentials from compromised inboxes is blocked by enabling multi-factor authentication, still the company discovered that the attackers use legacy protocols to exfiltrate emails and circumvent MFA on Exchange Online accounts when the targets failed to toggle off legacy auth.
The attackers also used the cloud-based infrastructure disrupted by Microsoft to automate operations at scale.
The company even discovered that the scammers used BEC activity originated from multiple IP address ranges belonging to several cloud providers.