Microsoft disrupted this large cloud-based business email scam operation

Microsoft uncovers how scammers used phishing and email-forwarding rules to target businesses' financial information.

Business email compromise (BEC) is a huge and profitable scam, but Microsoft has put a dent in one operation by taking down its cloud infrastructure. 

To counter these scammers, Microsoft has enlisted its Digital Crimes Unit to tackle the infrastructure they use. Just like other businesses, BEC scammers have moved to the cloud to run operations, but Microsoft claims its investigators have disrupted one large BEC group that was using major cloud providers. 

While ransomware is grabbing headlines, BEC remains the single most expensive cybercrime problem for American business. The FBI recently reported that Americans lost over $4.2 billion to cyber criminals and scammers in 2020. BEC was by far the biggest cause of reported losses, totaling $1.8 billion across 19,369 complaints. 

SEE: Network security policy (TechRepublic Premium)

In this case, the scammers used cloud-based infrastructure to compromise email accounts through phishing, and then added email-forwarding rules to those accounts, giving the attackers access to emails about financial transactions. 

The attackers also used several techniques to thwart investigators' efforts to uncover their activities and infrastructure. 

"The use of attacker infrastructure hosted in multiple web services allowed the attackers to operate stealthily, characteristic of BEC campaigns. The attackers performed discrete activities for different IPs and timeframes, making it harder for researchers to correlate seemingly disparate activities as a single operation," Microsoft security researchers explain. 

Microsoft notes that BEC attacks are difficult to detect because they generally don't pop up on a defender's alert list and instead blend in with legitimate network traffic. 

Microsoft is promoting its ability to detect BEC crimes because of its gigantic cloud business across Azure and Microsoft 365, which gives it visibility into email traffic, identities, endpoints, and cloud. 

"Armed with intelligence on phishing emails, malicious behavior on endpoints, activities in the cloud, and compromised identities, Microsoft researchers connected the dots, gained a view of the end-to-end attack chain, and traced activities back to the infrastructure," Microsoft said. 

Microsoft correlated the targeted BEC campaign to a prior phishing attack, which gave the attackers credentials and access to victims' Office 365 mailboxes. It notes that enabling multi-factor authentication can prevent these phishing attacks. 

Its researchers found that before the attackers created email-forwarding rules, the email accounts received a phishing email with a voice message lure and an HTML attachment. The emails came from an external cloud provider's address space. 

The phishing campaign duped users by creating a false but realistic-looking Microsoft login page with the username already populated, and used a JavaScript script to capture and forward the stolen passwords. 

The forwarding rules were fairly simple. Basically, if the body of the email contained the words "invoice", "payment", or "statement", the compromised accounts were configured to forward the emails to the attacker's email address. 

SEE: This new ransomware group claims to have breached over 30 organisations so far

While the attackers used different cloud infrastructure to conceal their activities, Microsoft found some common elements in the user agents, such as that the forwarding rules were created with Chrome 79 and that they used rules to not trigger an MFA notification when logging into a Microsoft account. 

"Credentials checks with user agent "BAV2ROPC", which is likely a code base using legacy protocols like IMAP/POP3, against Exchange Online. This results in an ROPC OAuth flow, which returns an "invalid_grant" in case MFA is enabled, so no MFA notification is sent," Microsoft notes. 

As its research uncovered that attackers abused cloud service providers to perpetrate this campaign, Microsoft reported its findings to the cloud security teams for these providers, who suspended the offending accounts, resulting in the takedown of the infrastructure.