Microsoft researchers have disrupted a major phishing and business email compromise campaign that used infrastructure hosted on several different cloud providers and attacker-installed forwarding rules in compromised inboxes to systematically steal information from organizations.
The campaign affected an unknown number of target companies, but Microsoft said that during investigations by its 365 Defender team, researchers saw hundreds of compromised inboxes. The attackers behind the operation began with a simple phishing campaign that used messages with file attachments purporting to be voice mail recordings. If a victim executes the attachment, it will run some embedded JavaScript that displays a fake Microsoft login prompt, which already has the username entered. When the victim enters the password, the JavaScript will eventually display an error message while the credentials are sent to the attacker through a redirect.
“Having already gained access to mailboxes via the credential phishing attack, attackers gained persistent data exfiltration channel via email forwarding rules. During the course of our investigation of this campaign, we saw hundreds of compromised mailboxes in multiple organizations with forwarding rules,” Stefan Sellmer and Nick Carr of Microsoft said in a post on the campaign.
“These forwarding rules allowed attackers to redirect financial-themed emails to the attacker-controlled email addresses ex@exdigy.net andin@jetclubs.biz. The attackers also added rules to delete the forwarded emails from the mailbox to stay stealthy.”
The rules looked for messages with keywords such as invoice, payment, or statement, ensuring that they would gather sensitive financial data. This is a more persistent twist on the typical BEC scam, which usually employs highly targeted emails that aim to trick the recipient into sending a large amount of money to the attacker through a fake invoice or urgent business deal. Those messages often use time as the catalyzing factor, but in the campaign that Microsoft uncovered, the attackers went a step further and stole the victims’ usernames and passwords and set up rules to maintain persistent access to those inboxes.
The second unique aspect of this campaign is its reliance on infrastructure hosted on a number of separate cloud platforms. More and more attack groups are utilizing cloud platforms for their operations, as they offer cheap, disposable infrastructure. The use of several cloud platforms as the additional advantage of making life more difficult for defenders trying to track their activities.
“The use of attacker infrastructure hosted in multiple web services allowed the attackers to operate stealthily, characteristic of BEC campaigns. The attackers performed discrete activities for different IPs and timeframes, making it harder for researchers to correlate seemingly disparate activities as a single operation,” Sellmer and Carr said.
Microsoft researchers were able to correlate the activities of the attackers from across the disparate cloud platforms and disrupt the campaign.