Microsoft’s Security Intelligence team recently investigated a business email compromise (BEC) attack and found that attackers move rapidly, with some steps taking mere minutes.
The whole process, from signing in using compromised credentials to registering typosquatting domains and hijacking an email thread, took the threat actors only a couple of hours.
This rapid attack progression ensures that the targets will have minimal opportunity to identify signs of fraud and take preventive measures.
A multi-billion problem
BEC attacks are a type of cyberattack where the attacker gains access to an email account of the target organization through phishing, social engineering, or buying account credentials on the dark web.
The attacker then impersonates a trusted individual, such as a senior executive or a supplier, to trick an employee working in the financial department into approving a fraudulent wire transfer request.
According to FBI data, from June 2016 until July 2019, BEC attacks resulted in losses amounting to over $43 billion, and this concerns only the cases reported to the law enforcement agency.
In a Twitter thread, Microsoft’s analysts explain that a recently investigated BEC attack began with the threat actor performing an “adversary-in-the-middle” (AiTM) phishing attack to steal the target’s session cookie, bypassing MFA protection.
The attacker logged in to the victim’s account on January 5, 2023, and spent two hours searching the mailbox for good email threads to hijack.
Thread hijacking is a very effective technique making it appear that the fraudulent message is a continuation of an existing communication exchange, so the recipients are far more likely to trust it.
After that, the attacker registered deceptive domains using homoglyph characters to make them appear almost identical to the sites of the target organization and the impersonated partner.
Five minutes later, the attacker created an inbox rule to siphon emails from the partner organization to a specific folder.
In the next minute, the attacker sent the malicious email to the business partner asking for a wire transfer instruction change and immediately deleted the sent message to reduce the likelihood of the compromised user discovering the breach.
From the first sign-in to the deletion of the sent email, a total of 127 minutes had passed, reflecting a rush from the attacker’s side.
Microsoft 365 Defender generated a warning about BEC financial fraud 20 minutes after the threat actor deleted the sent email and automatically disrupted the attack by disabling the user’s account.
Progression of the attack blocked by MS 365 Defender (Microsoft)
“In our testing and evaluation of BEC detections and actions in customer environments faced with real-world attack scenarios, dozens of organizations were better protected when accounts were automatically disabled by Microsoft 365 Defender,” claims Microsoft.
“The new automatic disruption capabilities leave the SOC team in full control to investigate all actions taken by Microsoft 365 Defender and where needed, heal any remaining, affected assets.”
Microsoft says its security product has disrupted 38 BEC attacks targeting 27 organizations using high-confidence eXtended Detection and Response (XDR) signals across endpoints, identities, email, and SaaS apps.