Microsoft Disrupts Large-Scale, Cloud-Based BEC Campaign - silversurfer - 16 June 21
Quote:Threat hunters at Microsoft recently uncovered and disrupted infrastructure that powered a large-scale business email compromise (BEC) campaign. The infrastructure was hosted on multiple cloud platforms, which allowed it to stay under the radar for quite some time.
“The attackers performed discrete activities for different IPs and timeframes, making it harder for researchers to correlate seemingly disparate activities as a single operation,” according to Microsoft 365 Defender researchers, writing in a Tuesday post.
In the campaign, adversaries compromised mailboxes not protected by multifactor authentication (MFA) via credential-phishing efforts, and then added forwarding rules that directed selected arriving messages to their own mailboxes. This enabled attackers to monitor for emails about financial transactions that they could then use to further their efforts to steal funds.
“Our analysis shows that shortly before the forwarding rules were created, the mailboxes received a phishing email with the typical voice message lure and an HTML attachment,” according to researchers. “The emails originated from an external cloud provider’s address space.”
The HTML attachment contained JavaScript that dynamically decoded an imitation of the Microsoft sign-in page, with the username already populated, according to the posting, that asked the user to enter their password. Once entered, in the background, the JavaScript transmitted the credentials to the attackers via a redirector, also hosted by an external cloud provider.
Read more: Microsoft Disrupts Large-Scale, Cloud-Based BEC Campaign | Threadpost
|