The fraudsters ran their campaigns from the cloud and used phishing and email forwarding rules to steal their targets’ financial information.
Microsoft has shut down a sprawling Business Email Compromise (BEC) operation that had its infrastructure hosted in several web services. Using these cloud-based assets, the threat actors infiltrated hundreds of mailboxes across multiple organizations and got their hands on sensitive financial data.
“Attackers used this cloud-based infrastructure to compromise mailboxes via phishing and add forwarding rules, enabling these attackers to get access to emails about financial transactions,” said Microsoft.
Partly thanks to their use of multiple web services, the threat actors were able to stay under the radar. To confound detection, they would carry out their activities for different IPs and timeframes, which made them hard to track, since it didn’t appear that their actions were connected or part of a larger operation.
To gain a foothold in their target’s systems, the attackers started with a phishing attack through which they stole login credentials and gained entry to the mailboxes, and then set up email forwarding rules. Microsoft highlighted that multi-factor authentication is a useful tool in preventing such attacks.
The phishing email contained an HTML attachment masquerading as a voice message. Once the victim clicked on the attachment it would manifest as a Microsoft sign-in page with the username already filled out – much like normal enterprise login pages operate.
However, once the target entered their password and attempted to sign in, the page would generate a “file not found” error message. Meanwhile, the login credentials would be sent to the attacke ..
Support the originator by clicking the read the rest link below.
