In the past six months, Coalfire has seen an increase in businesses receiving fraudulent emails from legitimate client accounts with fraudulent invoice attachments. In several cases, the recipient paid the invoices not realizing they were fraudulent. The losses have ranged between thousands and hundreds of thousands of dollars. When the business investigated, they found that the mailbox associated with the sender’s account did not contain the sent emails. Moreover, the authorized user claims they never sent the email.
If this sounds familiar, you are certainly not alone; it has happened to many companies. Coalfire’s involvement in these engagements begins when the firm asks us to investigate the incident and attempts to determine what happened. Our investigation starts with a review of the O365 account, including all logs, as well as the user’s workstation to determine if it has been compromised. In the end, most investigations reveal a similar trait: the user’s O365 account was virtually logged onto and the fraudulent email was sent from there. Then the email gets deleted to prevent the authorized user from seeing the fraudulent activity. Often, the logons to the O365 account originate from overseas IP addresses not normally associated with the user. In several recent cases, we have seen Nigerian IP addresses as the origin of the fraudulent email. Review of O365 audit logs show successful logons on the first attempt, meaning the attackers had the user’s credentials and a brute force attempt was not needed or attempted – from the activity, it’s apparent that the attacker already had the user’s credentials.
Although this article addresses O365, it should be noted that this attack method is not limited to just O365; it could occur to other providers as well. O365 is the cloud-enabled version of what the vast majority of enterprises use as their primary email services, and therefore we see it the most frequently. O365 makes it simple for users to send corporate email from anywhere at any time, but it also makes it easier for an attacker to do the same.
You may ask yourself how this could occur. There are dozens of methods in which an attacker could obtain user credentials. The most common is through a successful phishing attack. In several of our investigations, we have been able to trace the actions starting from a click on a link in an email, which takes them to what appears to be a logon for O365 (or other business-related account), but in fact turns out to be a site created by an attacker to collect the user’s credentials without their knowledge. Once the user enters their username and password, they are subsequently forwarded to the legitimate O365 (or other) site and were none the wiser. The attacker now has what they needed to log into the O365 account.
Other means by which an attacker can obtain user credentials is through attacking the user’s desktop/laptop and obtaining the credentials through compromising the system. This can occur without the user being aware of what is happening. Again, phishing emails may not contain a link, but can also include attachments with embedded exploits. As soon as that Microsoft Word document is opened, a macro can run and exploit a vulnerability in the system. This isn’t limited to Word or other Microsoft products; it can also occur with PDF documents as well as other disguised files. What appears as a PDF may actually be (or contain) executable code.
Now it’s time to talk a little about defending against such attacks. One of the first priorities is to ensure systems are patched and protected behind firewalls and other security devices. The next step is to educate users on the threats and how to recognize them. They should be very cautious in opening attachments or clicking on a link unless they are sure they know where they originate from. Passwords should never be reused and/or used on multiple accounts or systems. Users should always avoid using the same password at work as they do at home or for their Yahoo email account. Finally, ensure your user systems are protected by some form of endpoint protection that can help prevent execution of malicious code when all other security mechanisms fail.
As for protecting your O365 accounts, Microsoft has previously addressed this issue. Microsoft released the following article discussing security best practices for your O365 account: https://support.office.com/en-us/article/security-best-practices-for-office-365-9295e396-e53d-49b9-ae9b-0b5828cdedc3. Essentially, it is recommended that you require multi-factor authentication, audit and review the logs for access, enable anti-spam and anti-malware protection within an endpoint security solution, and configure and utilize Data Loss Prevention (DLP), which allows you to identify sensitive data and create policies to help prevent the sharing of that data. Furthermore, you should review and remove mailbox delegates and disable and remove all mail forwarding to external domains. These factors can help prevent an unauthorized user from accessing your O365 account and email.
We also recommend that your business enable a policy, coordinated with all vendors, clients, and other business partners, that all financial details will not be sent via email. Requests for payments and banking information changes should not be sent via clear text emails. While this can be cumbersome, eliminating the threat from the electronic medium is very effective.
To file a complaint with law enforcement, visit the Federal Bureau of Investigation (FBI) Internet Crime Complaint Center (IC3) – https://www.ic3.gov/default.aspx. This site was established by the FBI to facilitate the reporting of Internet crimes as well as provide more information on current trends and prevention tips.
Lastly, if you feel you have been victimized and an attacker has compromised one of your accounts, I recommend contacting a professional forensics firm to assist. Preserving the evidence is the first step, including all logs and the user’s system if available. Coalfire is ready to assist you in taking the right steps in the right order to prevent contamination.