BEC Phishing Campaigns Bypass MFA, Target Office 365 Executive Accounts

August 10, 2020 - Entities should be on the alert for an increase in two business email compromise campaigns. One report found an increase in BEC phishing campaigns targeting the Microsoft Office 365 accounts of executives, while the other reported a spike in phishing campaigns bypassing multi-factor authentication and conditional access. 

The first report from Trend Micro sheds light on a phishing campaign launched by hackers called Water Nue, which uses spear-phishing attempts on Office 365 accounts to target executives. Researchers found more than 1,000 companies around the world have already been targeted since March 2020. 

The most recent campaigns focus on senior leaders from both the US and Canada, targeting financial executives in an effort to obtain credentials for attempted fraud. Trend Micro first detected the campaign in a large group of email domains used in phishing attempts. 

To accomplish this, the hackers redirect users to fake Office 365 login pages, and when the user logs in, the credentials are recorded using a PHP script. 

Once the attacker has successfully compromised the accounts and obtained the credentials, they use the account to send emails containing malicious invoice documents with tampered banking information in hopes of directing money to the cyber criminals via fund transfer requests. 

READ MORE: COVID-19 Business Email Compromise Schemes, Ransomware Escalating

The majority of the recipients hold high corporate positions. In one example, the account of a bank's senior executive sent a fake PDF invoice to a colleague. The email was sent through an IP address used by the attacker to test functionality. 

Further, the threat actor was observed switching to new infrastructures when the domain used in attacks is either reported or blacklisted by systems. They’re also using cloud-based email distribution services to deliver mail containing malicious links that redirects victims to fake Office 365 pages. 

“The threat actor behind this campaign is interesting for several reasons. It appears that their technical capabilities are limited despite being able to successfully target high-level employees globally,” researchers wrote.  

“While their phishing tools are basic (i.e., no backdoors, trojans, and other malware), they made use of public cloud services to conduct their operations,” they added. “The use of cloud services allowed them to obfuscate their operations by hosting infrastructures in the services themselves, making their activities tougher to spot for forensics.” 

So far, the phishing campaign has gathered the credentials of more than 800 company executives. 

Attacks Bypassing MFA, Conditional Access 

READ MORE: FBI: $3.5B Lost to Cybercrime in 2019, Led by Business Email Compromise

Meanwhile, a report from Abnormal Security detailed an uptick in overall BEC campaigns, which are credited to hackers successfully bypassing conditional access controls and multi-factor authentication. Notably, previous Microsoft research showed MFA blocks 99.9 percent of automated attacks. 

Researchers noted that many enterprises believe MFA provides full protection from account takeovers, But in reality, following this mindset makes the organization vulnerable to “these rare but costly events.” 

The report found a common pattern in the recent surge of these attacks: The hacker immediately switches to a legacy application after they are blocked by MFA. Most credential stuffing campaigns leverage legacy applications like IMAP4 to ensure MFA does not hinder the attacks. 

Further, even when conditional access policies in place to block all legacy app access, researchers still found hackers are successfully taking over accounts: simply bypassing the policy by obscuring the name of the app used. 

For example, one instance saw an attacker initially attempt to sign-in with a legacy application that was blocked by conditional access. The hacker waited a few days and attempted again, by obscuring the app information to successfully gain access to the account. 

“This example demonstrates that while most account takeover attempts utilize brute-force attacks and password spraying techniques, some attackers are methodical and deliberate,” researchers wrote. “These attackers are able to gain access to accounts even with the most secure protocols in place.”  

Researchers stressed that while MFA and other authentication protocols provide advanced access security, many common – and often legacy – applications don’t support modern authentications. Those apps include iOS mail for iOS 10 and older. 

“Legacy email protocols, including IMAP, SMTP, MAPI and POP, do not support MFA, making it possible for attackers to easily bypass MFA using these legacy applications,” researchers explained. “This means that it is not possible to enforce MFA when a user signs into their account using one of these applications.” 

And while many Office 365 licenses are able to configure conditional access policies – a way to increase security by barring access from legacy applications (often targeted in password-spraying campaigns), researchers stressed these tools have some weaknesses and drawbacks. 

Namely, conditional access isn’t included with all licenses, meaning some enterprises are unable to protect against these types of attacks. And legacy applications are widespread in most enterprises, especially in the healthcare sector. 

Legacy access is enabled by default in O365 and completely barring legitimate access using these applications is disruptive to the workforce. Even if an enterprise has employed conditional access to block legacy apps, researchers found hackers are still able to access accounts by obscuring the app used in the attacks. 

“To avoid this, Microsoft recommends first examining the sign-in logs to determine which users are not using legacy applications and applying the Conditional Access policy to them only,” researches explained. “Of course, this leaves those who do use these applications vulnerable.” 

“Attempting to apply legacy blocking based on the platform creates another known vulnerability: the platform is determined by Microsoft based on the user agent, which is very easy to falsify,” they added. “Attackers simply have to cycle through user agents until they find one with more lax access policies that are easier to bypass.” 

Defense and Mitigation 

Previous Barracuda Networks research found BEC attacks account for just 7 percent of spear-phishing attacks. However, researchers warned that the targeted nature of these phishing emails make these attack three times more effective than traditional phishing schemes. Much of that success is attributed to the highly targeted nature of these attacks. 

In light of the potential impact, Trend Micro shared indicators of compromise (IoCs), threat actor managed URLs, and MITRE Attack matrix mapping, as well as a host of recommendations for defense and mitigation tactics. 

Administrators must educate and train employees, including C-suite executives. Training should cover the different types of scams and how to respond to expected encounters, including double-checking with other team members and verifying the email details. 

Financial requests should be confirmed through other channels following a verification system that includes multiple signoffs or other verification protocols, especially for employees working with sensitive or valuable information. 

All emails should be scrutinized for suspicious content, such as a dubious sender email, domain name, formatting, urgent requests, and even writing style. 

“In the case discussed here, the attacker email itself does not include the typical malware payload of malicious attachments,” researchers wrote. “As a result, traditional security solutions won’t be able to protect accounts and systems from such attacks. Users can also turn on mail inspection for sender 'sendgrid[.]net' in the email gateway.”