Business email compromise can be a prelude to a range of attacks but commonly it’s either Ransomware of Scammers. In this post we are focsing on scammer activity which uses a ‘man in the mailbox’ attack to get in between two parties in an email converstation with the aim of attempting theft by fradulently altering a wire transfer so that the third party sends funds to the scammers not to the victim. There are cleary other avenues that can be leveraged (the compromised mailbox may be used to phish or email malware to another victim).
To gain access to the mailbox a range of techniques can be employed which includes:
- Credential stuffing
- Phishing and credential harvesting
Once they have your logon credentials, they now will attempt to access your mailbox.
Avoiding Geo Location Alerts
A scammer may use a public VPN service (such as services from AVAST etc.) to move their internet connection the target mailbox region. They can usually locate a person through some OSINT.
By moving to the normal area of the user they are less likely to trip geo location alerts.
A common tactic includes configuring a mail forwarding rule to send all email to an external mailbox. This is however a more legacy tactic and now as businesses lock down their environments, they are employing tactics like this.
Once mailbox access is achieved create an outlook rule. Forward emails (from specific domains) to a mailbox folder such as “RSS Subscriptions”. So, the exact rule may look like this:
For emails belonging to domain [x].com mark the items as read then move them to the “RSS Subscriptions Folder”
Once this has occurred the threat actor/scammer is then able to read your emails and can choose to tamper, reply, delete, forward or simply move into your inbox (and mark as unread) so they can become you and engage with either the mailbox owner or the downstream target. Often, they will look for invoice and payment related content and attempt to divert funds from a business transaction into their accounts.
The first element is initial access, to succeed the scammers must gain access to a set of credentials, so there will have to have been credential theft. Phishing emails, whilst some are fairly convincing usually stand out. If you think it is a phish or you have been phished contact your IT/Security team ASAP. Another strange occurrence will be that emails appear to be entering your inbox slowly or with a delay. Report strange activity to your IT/Security team.
Preventing and detecting BEC is easy to do in theory but harder to implement in a lot of organisations, controls you should look to implement are:
- Deploy Multi-factor Authentication
- Configure Conditional Access
- Block standard user PowerShell access
- Disable email forwarding
- Monitor for email rule creation
- Enable mailbox auditing
- Enable E-discovery to understand if the mailbox contains risky content
- Train users on phishing tactics and reporting processes
Real Life Control Implementation Challenges
- One thing you will notice is that to achieve these there are some operating changes that are required:
- MFA requires implementation and this will need leadership support and commitment as this will fundamentally change the user experience. This control often has pushback until there is a breach then suddenly everyone green lights this (get ahead of the pack, if your IT/sec team are requesting this is enabled there is a reason why, it is to help you)
- Conditional access rules are great but again will change the user experience.
- Mailbox auditing is great, but you need to have a security E5 license in Office 365 for this. There are also limitations on retention so bear this in mind.
- Training is important but it takes staff away from their normal business, this will often get given a low priority or simply not happen at all.
The potential business impacts of BEC can include:
- Brand Damage
- Direct Financial Loss
- Reputation Damage
- Legal and Regulatory Costs
- Response Costs
- Business Productivity Impact Costs
- Loss of Revenue
So, do not take this lightly. It might not be the most sophisticated threat, but it will still hurt you in the wallet!
Real Life Incident Response Challenges
Many orgs do not have the forementioned controls, as such unauthorised mailbox access is a challenge from a DFIR perspective (even with all the tools)
- The audit log review and analysis process for BEC is not a two-minute task
- Identifying good/bad logons is not an easy task
- Matching logons to mail data access is not simple
- Understanding the impact of mailbox access is difficult
- People often store all kinds of data in mailboxes that they should not
- Many organisations do not have good business incident response plans (if any at all) so regardless of technical approach the business response can be problematic
Business Email Compromise (BEC) is a real pain, it is not highly complex to conduct from an offensive perspective but can be devastating not only in direct financial impact but also from indirect impact. It is key that business owners and leadership do not just leave this up to the IT team, because it’s something which impacts the business, isn’t just an IT or security team issue and the response requires business co-ordination that really isn’t just up to IT to fix.