Emerging Business Email Compromise (Phishing Scam)
United States Law Enforcement Authorities have identified a Business Email Compromise (BEC), focused on healthcare, professional services, higher education, and real estate closing companies. BEC attacks have evolved over the last couple of years from sending phishing emails to millions of targets, to sending spear phishing emails to a few hundred. The spear phishing is targeting individuals that are involved with a company’s financial decisions with the intention of compromising that corporate officer’s email account. The attackers are focusing specifically on Office 365 as many of the security features that product offers are turned off by default.
The spear-phishing email will appear to be an email link to an encrypted document. Once the user clicks on that link, it will ask for their user credentials for Office 365 which is a cloud-based software service. Once the user enters their credentials, the attacker captures their user/password and will then have access to their Outlook email account without installing malware or remote software on their computer. Here is an example of the fake login request:
Once the account is compromised, the attacker views the inbox and sent messages, which may include invoice forms, to gather intelligence about the flow of money during legitimate business transactions.
The attacker will then change the mail rules associated with the victim’s email account. Here are examples of some mail rules that are being changed:
Inbound/Outbound email forwarded:
• The attacker will have emails forwarded to their own email account to gain real-time intelligence on the compromised user, customers, other employees, vendors, etc.
• Alternatively, attackers are forwarding emails with key subject lines that they are interested in.
• Once sufficient Intel is gathered, there are a few attack methodologies USSS has observed. For example:
1. The attacker logs into the compromised account and sends spear phishing emails to other victims to compromise or have them forward the money to the attacker’s bank account
2. The attacker creates an email account that appears to be from the compromised user (example: JohnDoeUSFinancial@gmail.com) and sends the BEC email having money transferred to another account
• Move Emails:
Similar to email forwarding, attackers will move emails to the Notes, Junk Email, or RSS Subscriptions folders.
• Change Privileges:
If the attacker compromises an admin account, they will elevate the privileges of a compromised user so they can read emails from an admin account.
• Delete Emails:
Attackers have also been known to create a rule to delete inbound emails from certain email accounts (other possible phishing victims, banks, etc.), so the user is not alerted that his/her email account has been compromised.
Below are tips to follow once a company suspects or confirms that it has been a victim of a BEC:
1. Block the User/Attacker from Signing-in:
• Open the “Office 365 Admin Center” –> “Users”
• Select the employee that you want to block, and then choose “Edit” next to “Sign-in Status” in the user pane
• On the “Sign-in status” pane, choose “Sign-in blocked” and then “Save”
• In the “Office 365 Admin Center”, in the lower-left navigation pane, expand “Admin Centers” and select “Exchange”
• In the “Exchange Admin Center”, navigate to “Recipients” -> “Mailboxes”
• Select the user, and on the user properties page, under “Mobile Devices”, click “Disable Exchange ActiveSync” and “Disable OWA” for Devices and answer “Yes” to both
• Under “Email Connectivity”, “Disable” and answer “Yes”.
2. Remove the Compromised Account From All Admin Groups:
• Sign in to the “Office 365 Admin Center” with a global administrator account and open “Active Users”
• Find the suspected compromised account and manually check to see if there are any administrative roles assigned to the account
• Open the “Security & Compliance Center”
• Click “Permissions”
• Manually review the role groups to see if the suspected compromised account is a member of any of them. If it is:
a. Click the role group and click “Edit Role Group”
b. Click “Chose Members” and “Edit” to remove the user from the role group
1. Open the “Exchange Admin Center”
2. Click “Permissions”
3. Manually review the role groups to see if the suspected compromised account is a member of any of them. If it is:
a. Click the role group and click “Edit”
b. Use the “Members” section to remove the user from the role group
• Reset Password:
Have the admin reset the password for the compromised user account.
Make sure the admin does not email the new password to the user account.
At this point, Multi-Factor Authentication is highly recommended.
• Remove Email Rules:
Open the “Office 365 Admin Center” –> “Active Users”
Review the compromised email account and expand “Mail Settings”
Look for “Email Forwarding”, click “Edit” and remove any suspicious forwarding addresses
• Review Email Inbox Rules:
Log into the compromised account, click settings (the gear icon at the top) and then click “Mail”
Click “Inbox and Sweep Rules” and review the rules
Delete any suspicious rules
Once the compromised account is secured, the victim company should have the user of the compromised account perform a virus scan. Once the scan is complete, allow the user to log into their account.
Other Remediation Steps:
As of October 2018, a security update patch for Office 365 now enables logs by default, but it is worth mentioning to the victims to check their logs – both global and account-based. Make sure that Audit Logging is turned on.
The admin should disable automatic email forwarding. If the company is not able to disable email forwarding on all email accounts, then they should monitor the email forwarding rules by reviewing audit logs.
The admin should fine-tune the threat management policies in the Office 365 Security and Compliance Center. The Security and Compliance Center includes reports and dashboards that you can use to monitor users’ settings.
Companies that receive BEC emails should preserve the emails to provide to investigators for header information- even if the attack was unsuccessful.